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Preface 



EUROCRYPT 2000, the nineteenth annual Eurocrypt Conference, was spon- 
sored by the International Association for Cryptologic Research (lACR), in co- 
operation with the Katholieke Universiteit Leuven in Belgium (research group 
for Computer Security and Industrial Cryptography, COSIC). 

The first conference with the name ‘Eurocrypt’ took place in 1983, but the 
1982 Workshop at Burg Feuerstein was the first open meeting in Europe on 
cryptology; it has been included in Lecture Notes in Computer Science 1440, 
which contains an electronic proceedings and index of the Crypto and Eurocrypt 
conferences 1981-1997. 

The program committee considered 150 papers and selected 39 for presen- 
tation at EUROCRYPT 2000. One paper was withdrawn by the authors. The 
program also included invited talks by Michael Walker (“On the Security of 
3GPP Networks”) and Tony Sale (“Colossus and the German Lorenz Cipher - 
Code Breaking in WW II”). In addition, Andy Clark kindly agreed to chair the 
traditional rump session for informal presentations of recent results. 

The selection of the program was a challenging task, as many high qual- 
ity submissions were received. Each submission was reviewed by at least three 
reviewers and most reports had four or more reviews (papers with program com- 
mittee members as a co-author had at least six reviews) . The program committee 
worked very hard to evaluate the papers with respect to quality, originality, and 
relevance to cryptology. In most cases they were able to provide extensive com- 
ments to the authors (about half a megabyte of comments for authors has been 
written). Subsequently, the authors of accepted papers have made a substan- 
tial effort to take into account the comments in the version submitted to these 
proceedings. In a limited number of cases, these revisions have been checked by 
members of the program committee. 

First and foremost I would like to thank the members of the program com- 
mittee for the many hours spent on reviewing and discussing the papers, and for 
helping me with the difficult decisions. 

I gratefully acknowledge the help of a large number of colleagues who re- 
viewed submissions in their area of expertise: Masayuki Abe, N. Asokan, Olivier 
Baudron, Josh Benaloh, Eli Biham, Simon Blake-Wilson, Johan Borst, Em- 
manuel Bresson, Jan Camenisch, Ivan Damgard, Anand Desai, Yvo Desmedt, 
Glenn Durfee, Serge Fehr, Matthias Fitzi, Pierre- Alain Fouque, Matt Franklin, 
Steven Galbraith, Juan A. Garay, Louis Granboulan, Stuart Haber, Shai Halevi, 
Martin Hirt, Fredrik Jonsson, Mike Jacobson, Jens G. Jensen, Ari Juels, Jo- 
nathan Katz, Robert Lambert, Julio Lopez Hernandez, Phil MacKenzie, Julien 
March, Willi Meier, Preda Mihailescu, Serge Mister, Fabian Monrose, Sean Mur- 
phy, Siaw-Lynn Ng, Phong Nguyen, Valtteri Niemi, Tatsuaki Okamoto, Thomas 
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Pornin, Guillaume Poupard, Bartek Przydatek, Omer Reingold, Vincent Rijmen, 
Louis Salvail, Tomas Sander, Berry Schoenmakers, Dan Simon, Ben Smeets, 
Michael Steiner, Jacques Stern, Martin Strauss, Katsuyuki Takashima, Edlyn 
Teske, Barry Trager, Ramarathnam Venkatesan, Frederik Vercauteren, Susanne 
Wetzel, Mike Wiener, Peter Wild, Adam Young. I apologise for any inadvertent 
omissions. 

By now, electronic submissions have become a tradition for Eurocrypt. I 
would like to thank Joe Kilian, who did an excellent job in running the elec- 
tronic submission server of ACM’s SIGACT group. Only five contributions were 
submitted in paper form; for three of these, I obtained an electronic copy from 
the authors. The remaining two papers were scanned in to make the process 
uniform to reviewers. As a first for lAGR sponsored conferences, we developed 
a web interface for entering reviews and discussing papers. Special thanks go to 
Joris Glaessens and Wim Moreau who spent several weeks developing my rough 
specifications into a flawless program with a smooth user interface. This work 
made the job of the program committee much easier, as we could focus on the 
content of the discussion rather than on its organization. This software will be 
made available to all lAGR sponsored conferences. 

My ability to run the program committee was increased substantially by 
the effort and skills provided by the members of GOSIG: Vincent Rijmen put 
together the DT[;<]X version of the proceedings, Joris Glaessens helped with pro- 
cessing the submissions, Johan Borst converted a paper to DT[;]X, Pela Noe as- 
sisted with organizing the program committee meeting, and (last but not least) 
Wim Moreau helped with the electronic processing of the submissions and final 
versions, and with the copyright forms. 

I would like to thank Joos Vandewalle, general chair, the members of the or- 
ganizing committee (Joris Glaessens, Danny De Gock, Erik De Win, Marijke De 
Soete, Keith Martin, Wim Moreau, Pela Noe, Jean-Jacques Quisquater, Vincent 
Rijmen, Bart Van Rompay, Karel Wouters), and the other members of GOSIG 
for their support. I also thank Elvira Wouters, who took care of the accounting, 
and Anne De Smet (Momentum), who was responsible for the hotel bookings 
and the social program. For the first time, the registrations of Eurocrypt were 
handled by the lAGR General Secretariat in Santa Barbara (UGSB); I would 
like to thank Micky Swick and Sally Vito for the successful collaboration. The 
organizing committee gratefully acknowledges the financial contributions of our 
sponsors: Isabel, Ubizen, Europay International, Gryptomathic Belgium, Price- 
WaterhouseGoopers, Utimaco, and the Katholieke Universiteit Leuven. 

Finally, I wish to thank all the authors who submitted papers, making this 
conference possible, and the authors of accepted papers for their cooperation. 
Special thanks go to Alfred Hofmann and his colleagues at Springer- Verlag for 
the timely production of this volume. 
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Stefania Cavallar et al. 



Abstract. This paper reports on the factorization of the 512-bit num- 
ber RSA-155 by the Number Field Sieve factoring method (NFS) and 
discusses the implications for RSA. 



1 Introduction 



On August 22, 1999, we completed the factorization of the 512-bit 155-digit 
number RSA-155 by NFS. The number RSA-155 was taken from the RSA 
Challenge list [34] as a representative 512-bit RSA modulus. Our result is a new 
record for factoring general integers. Because 512-bit RSA keys are frequently 
used for the protection of electronic commerce — at least outside the USA — this 
factorization represents a breakthrough in research on RSA-based systems. 

The previous record, factoring the 140-digit number RSA-140 [8], was estab- 
lished on February 2, 1999, also with the help of NFS, by a subset of the team 
which factored RSA-155. The amount of computing time spent on RSA-155 was 
about 8400 MIPS years^, roughly four times that needed for RSA-140; this is 
about half of what could be expected from a straightforward extrapolation of the 
computing time spent on factoring RSA-140 and about a quarter of what would 
be expected from a straightforward extrapolation of the computing time spent 
on RSA-130 [11]. The speed-up is due to a new polynomial selection method 
for NFS of Murphy and Montgomery which was applied for the first time to 
RSA-140 and now, with improvements, to RSA-155. 

Section 2 discusses the implications of this project for the practical use of 
RSA-based cryptosystems. Section 3 has the details of our computations which 
resulted in the factorization of RSA-155. 



2 Implications for the Practice of RSA 

RSA is widely used today [17]. The best size for an RSA key depends on the 
security needs of the user and on how long his/her information needs to be 
protected. 

The amount of CPU time spent to factor RSA-155 was about 8400 MIPS 
years, which is about four times that used for the factorization of RSA-140. On 
the basis of the heuristic complexity formula [7] for factoring large N by NFS: 

exp ((1.923 -bo(l)) (log A)i/3(loglogA)2/3) , (1) 



^ One MIPS year is the equivalent of a computation during one full year at a sustained 
speed of one Million Instructions Per Second. 
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one would expect an increase in the computing time by a factor of about seven. ^ 
This speed-up has been made possible by algorithmic improvements, mainly in 
the polynomial generation step [26,29,30], and to a lesser extent in the filter step 
of NFS [9], 

The complete project to factor RSA-155 took seven calendar months. The 
polynomial generation step took about one month on several fast workstations. 
The most time-consuming step, the sieving, was done on about 300 fast PCs 
and workstations spread over twelve “sites” in six countries. This step took 3.7 
calendar months, in which, summed over all these 300 computers, a total of 
35.7 years of CPU-time was consumed. Filtering the relations and building and 
reducing the matrix corresponding to these relations took one calendar month 
and was carried out on an SGI Origin 2000 computer. The block Lanczos step 
to find dependencies in this matrix took about ten calendar days on one CPU 
of a Cray C916 supercomputer. The final square root step took about two days 
calendar time on an SGI Origin 2000 computer. 

Based on our experience with factoring large numbers we estimate that within 
three years the algorithmic and computer technology which we used to factor 
RSA-155 will be widespread, at least in the scientific world, so that by then 
512-bit RSA keys will certainly not be safe any more. This makes these keys 
useless for authentication or for the protection of data required to be secure for 
a period longer than a few days. 

512-bit RSA keys protect 95% of today’s E-commerce on the Internet [35] — 
at least outside the USA — and are used in SSL (Secure Socket Layer) handshake 
protocols. Underlying this undesirable situation are the old export restrictions 
imposed by the USA government on products and applications using “strong” 
cryptography like RSA. However, on January 12, 2000, the U.S. Department 
of Commerce Bureau of Export Administration (BXA) issued new encryption 
export regulations which allow U.S. companies to use larger than 512-bit keys in 
RSA-based products [38]. As a result, one may replace 512-bit keys by 768-bit 
or even 1024-bit keys thus creating much more favorable conditions for secure 
Internet communication. 

In order to attempt an extrapolation, we give a table of factoring records 
starting with the landmark factorization in 1970 by Morrison and Brillhart of 
F 7 = 2^^® -I- 1 with help of the then new Continued Fraction (CF) method. This 
table includes the complete list of factored RSA-numbers, although RSA-100 
and RSA-110 were not absolute records at the time they were factored. Notice 
that RSA-150 is still open. Some details on recent factoring records are given in 
Appendix A to this paper. 



^ By “computing time” we mean the sieve time, which dominates the total amount of 
CPU time for NFS. However, there is a trade-off between polynomial search time and 
sieve time which indicates that a non-trivial part of the total amount of computing 
time should be spent to the polynomial search time in order to minimize the sieve 
time. See Subsection Polynomial Search Time vs. Sieving Time in Section 3.1. When 
we use (1) for predicting CPU times, we neglect the o(l)-term, which, in fact, is 
proportional to l/log(N). All logarithms have base e. 
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Table 1. Factoring records since 1970 



H decimals 


date 
or year 


algorithm 


effort 

(MIPS years) 


reference 


39 


Sep 13, 1970 


CF 




Ft = 2^' -\-l [27,28] 


50 


1983 


CF 




[6, pp. xliv-xlv] 


55-71 


1983-1984 


QS 




[12, Table I on p. 189] 


45-81 


1986 


QS 




[36, p. 336] 


78-90 


1987-1988 


QS 




[37] 


87-92 


1988 


QS 




[32, Table 3 on p. 274] 


93-102 


1989 


QS 




[21] 


107-116 


1990 


QS 


275 for Cl 16 


[22] 


RSA-100 


Apr 1991 


QS 


7 


[34] 


RSA-110 


Apr 1992 


QS 


75 


[14] 


RSA-120 


Jun 1993 


QS 


835 


[13] 


RSA-129 


Apr 1994 


QS 


5000 


[2] 


RSA-130 


Apr 1996 


NFS 


1000 


[11] 


RSA-140 


Feb 1999 


NFS 


2000 


[8] 


RSA-155 


Aug 1999 


NFS 


8400 


this paper 



Based on this table and on the factoring algorithms which we currently know, 
we anticipate that within ten years from now 768-bit (232-digit) RSA keys will 
become unsafe. 

Let D be the number of decimal digits in the largest “general” number fac- 
tored by a given date. From the complexity formula for NFS (1), assuming 
Moore’s law (computing power doubles every 18 months), Brent [5] expects 
to be roughly a linear function of the calendar year Y . From the data in Table 1 
he derives the linear formula 

Y = 13.24L)i/3-k 1928.6. 

According to this formula, a general 768-bit number (D=231) will be factored 
by the year 2010, and a general 1024-bit number (D=309) by the year 2018. 

Directions for selecting cryptographic key sizes now and in the coming years 
are given in [23] . 

The vulnerability of a 512-bit RSA modulus was predicted long ago. A 1991 
report [3, p. 81] recommends: 

For the most applications a modulus size of 1024 bit for RSA should 
achieve a sufficient level of security for “tactical” secrets for the next ten 
years. This is for long-term secrecy purposes, for short-term authenticity 
purposes 512 hit might suffice in this century. 



3 Factoring RSA— 155 

We assume that the reader is familiar with NFS [19], but for convenience we 
briefly describe the method here. Let N be the number we wish to factor, known 
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to be composite. There are four main steps in NFS: polynomial selection, sieving, 
linear algebra, and square root. 

The polynomial selection step selects two irreducible polynomials fi{x) and 
f 2 {x) with a common root m mod N. The polynomials have as many smooth 
values as practically possible over a given factor base. 

The sieve step (which is by far the most time-consuming step of NFS), finds 
pairs (a, 6) with gcd(a, 6) = 1 such that both 

and f 2 ( 0 / b) 

are smooth over given factor bases, i.e., factor completely over the factor bases. 
Such a pair (a, b) is called a relation. The purpose of this step is to collect so 
many relations that several subsets S of them can be found with the property 
that a product taken over S yields an expression of the form 

(jnod N). (2) 

For approximately half of these subsets, computing gcd(Al — Y, N) yields a non- 
trivial factor of N (if N has exactly two distinct factors) . 

The linear algebra step first filters the relations found during sieving, with 
the purpose of eliminating duplicate relations and relations containing a prime 
or prime ideal which does not occur elsewhere. In addition, certain relations are 
merged with the purpose of eliminating primes and prime ideals which occur 
exactly k times in k different relations, for fc = 2, . . . , 8. These merges result in 
so-called relation-sets, defined in Section 3.3, which form the columns of a very 
large sparse matrix over With help of an iterative block Lanczos algorithm 
a few dependencies are found in this matrix: this is the most time- and space- 
consuming part of the linear algebra step. 

The square root step computes the square root of an algebraic number of the 
form 

(a-ba), 

(a,b)GS 

where a is a root of one of the polynomials fi{x), f 2 {x), and where for RSA-155 
the numbers a, b and the cardinality of the set S can all be expected to be many 
millions. All a — ba's have smooth norms. With the mapping a m mod N, 
this leads to a congruence of the form (2). 

In the next four subsections, we describe these four steps, as carried out for 
the factorization of RSA-155. 

3.1 Polynomial Selection 

This section has three parts. The first two parts are aimed at recalling the 
main details of the polynomial selection procedure, and describing the particular 
polynomials used for the RSA-155 factorization. 

Relatively speaking, our selection for RSA-155 is approximately 1.7 times 
better than our selection for RSA-140. We made better use of our procedure 
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for RSA-155 than we did for RSA-140, in short by searching longer. This poses 
a new question for NFS factorizations — what is the optimal trade-off between 
increased polynomial search time and the corresponding saving in sieve time? 
The third part of this section gives preliminary consideration to this question as 
it applies to RSA-155. 



The Procedure. Our polynomial selection procedure is outlined in [8]. Here 
we merely restate the details. Recall that we generate two polynomials /i and 
/2, using a base-m method. The degree d of fi is fixed in advance (for RSA-155 
we take d = 5). Given a potential 05, we choose an integer m « {N/adY^‘^- The 
polynomial 

fi{x) = adx'^ + ad-ix'^~^ + ... + ao (3) 

descends from the base-m representation of N, initially adjusted so that |ai| < 
m/2 for 0 < z < d — 1. 

Sieving occurs over the homogeneous polynomials Fi{x,y) = y‘^fi{x/y) and 
F2{x, y) = X — my. The aim for polynomial selection is to choose fi and m such 
that the values Fi{a, b) and ^2(0, b) are simultaneously smooth at many coprime 
integer pairs (a, b) in the sieving region. That is, we seek Fi, F2 with good yield. 
Since F2 is linear, we concentrate on the choice of Fi. 

There are two factors which influence the yield of Fi, size and root properties, 
so we seek F\ with a good combination of size and root properties. By size we 
refer to the magnitude of the values taken by F\ . By root properties we refer to 
the extent to which the distribution of the roots of F\ modulo small p”, for p 
prime and n > 1, affects the likelihood of F\ values being smooth. In short, if 
Fi has many roots modulo small p”, the values taken by F\ “behave” as if they 
are much smaller than they actually are. That is, on average, the likelihood of 
Fi-values being smooth is increased. 

Our search is a two stage process. In the first stage we generate a large sam- 
ple of good polynomials (polynomials with good combinations of size and root 
properties) . In the second stage we identify without sieving, the best polynomi- 
als in the sample. We concentrate on skewed polynomials, that is, polynomials 
fi{x) = a^x^ -I- . . . -I- oo whose first few coefficients (05,04 and 03) are small 
compared to m, and whose last few coefficients (02,01 and oq ) may be large 
compared to m. Usually I05I < I04I < • • • < |oo|. To compensate for the last few 
coefficients being large, we sieve over a skewed region, i.e., a region that is much 
longer in x than in y. We take the region to be a rectangle whose width-to-height 
ratio is s. 

The first stage of the process, generating a sample of polynomials with good 
yield, has the following main steps {d= 5): 

— Guess leading coefficient ad, usually with several small prime divisors (for 
projective roots). 

— Determine initial m from Odm'^ « N. If the approximation {N —Odm^) / m‘^~^ 
to Od-i is not close to an integer, try another ad. Otherwise use (3) to 
determine a starting /i . 
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— Try to replace the initial fi by a smaller one. This numerical optimization 
step replaces fi{x) by 

/i {x + k) + (cx + d) * {x + k — m) 

and m hy m — k, sieving over a region with skewness s. It adjusts four real 
parameters c, d, k, s, rounding the optimal values (except s) to integers. 

— Make adjustments to /i which cause it to have exceptionally good root 
properties, without destroying the qualities inherited from above. The main 
adjustment is to consider integer pairs ji,jo (with ji and jo small compared 
to 02 and oi respectively) for which the polynomial 

fi{x) + {jix - jo) ■ {x-m) 

has exceptionally good root properties modulo many small p”. Such pairs 
ji , jo are identified using a sieve-like procedure. For each promising (ji , jo) 
pair, we revise the translation k and skewness s by repeating the numerical 
optimization on these values alone. 

In the second stage of the process we rate, without sieving, the yields of 
the polynomial pairs Fi,F 2 produced from the first stage. We use a parameter 
which quantifies the effect of the root properties of each polynomial. We factor 
this parameter into estimates of smoothness probabilities for F\ and F 2 across 
a region of skewness s. 

At the conclusion of these two stages we perform short sieving experiments 
on the top-ranked candidates. 



Results. Four of us spent about 100 MIPS years on finding good polynomials 
for RSA-155. The following pair, found by Dodson, was used to factor RSA-155: 

Fi{x,y)= 11 93771 38320 

-8016893 72849 97582 x^^y 
-66269 85223 41185 74445 x^y"^ 

-hi 18168 48430 07952 18803 56852 x^y^ 

-h745 96615 80071 78644 3919743056 a; y^ 

-40 67984 35423 62159 36191 37084 05064 y^ 

F 2 {x,y) = a; - 3912 30797 21168 00077 1313449081 y 
with s « 10800. 

For the purpose of comparison, we give statistics for the above pair similar 
to those we gave for the RSA- 140 polynomials in [8]. Denote by Umax the largest 
joil for z = 0, . . . , d. The un-skewed analogue, Fi(104a;, y/104), of Fi has Umax ~ 
1.1 • 10^^, compared to the typical case for RSA-155 of Umax ~ 2.4 • 10^®. The 
un-skewed analogue of F 2 has Umax ~ 3.8 • 10^®. Hence, Fi values have shrunk 
by approximately a factor of 215, whilst F 2 values have grown by a factor of 
approximately 16. Fi has real roots x/y near —11976, —2225, 1584, 12012 and 
672167. 
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With respect to the root properties of Fi we have as = 2^-3^-5-ll^-19-41-1759. 
Also, Fi{x,y) has 20 roots x/y modulo the six primes from 3 to 17 and an 
additional 33 roots modulo the 18 primes from 19 to 97. As a result of its root 
properties, Ai-values have smoothness probabilities similar to those of random 
integers which are smaller by a factor of about 800. 



Polynomial Search Time vs. Sieving Time. The yield of our two RSA-155 
polynomials is approximately 13.5 times that of a skewed pair of average yield 
for RSA-155 (about half of which comes from root properties and the other half 
from size). The corresponding figure for the RSA-140 pair is approximately 8 
(about a factor of four of which was due to root properties and the remaining 
factor of 2 to size). From this we deduce that, relatively speaking, our RSA-155 
selection is approximately 1.7 times “better” than our RSA-140 selection. 

Note that this is consistent with the observed differences in sieve time. As 
noted above, straightforward extrapolation of the NFS asymptotic run-time es- 
timate (1) suggests that sieving for RSA-155 should have taken approximately 7 
times as long as RSA-140. The actual figure is approximately 4. The difference 
can be approximately reconciled by the fact that the RSA-155 polynomial pair 
is, relatively, about 1.7 times “better” than the RSA-140 pair. 

Another relevant comparison is to the RSA-130 factorization. RSA-130 of 
course was factorized without our improved polynomial selection methods. The 
polynomial pair used for RSA-130 has a yield approximately 3.2 times that of 
a random (un-skewed) selection or RSA-130. Extrapolation of the asymptotic 
NFS run-time estimate suggests that RSA-140 should have taken about 4 times 
as long as RSA-130, whereas the accepted difference is a factor of about 2. 
The difference is close to being reconciled by the RSA-140 polynomial selection 
being approximately 2.5 times better than the RSA-130 selection. Finally, to 
characterize the overall improvement accounted for by our techniques, we note 
that the RSA-155 selection is approximately 4.2 times better (relatively) than 
the RSA-130 selection. 

Since the root properties of the non-linear polynomials for RSA-140 and 
RSA-155 are similar, most of the difference between them comes about because 
the RSA-155 selection is relatively “smaller” than the RSA-140 selection. This 
in turns comes about because we conducted a longer search for RSA-155 than 
we did for the RSA-140 search, so it was more likely that we would find good 
size and good root properties coinciding in the same polynomials. In fact, we 
spent approximately 100 MIPS years on the RSA-155 search, compared to 60 
MIPS years for RSA-140. 

Continuing to search for polynomials is worthwhile only as long as the saving 
in sieve time exceeds the extra cost of the polynomial search. We have analyzed 
the “goodness” distribution of all polynomials generated during the RSA-155 
search. Modulo some crude approximations, the results appear in Table 2. The 
table shows the expected benefit obtained from k times the polynomial search 
effort we actually invested (100 MY), for some useful k. The second column gives 
the change in search time corresponding to the K-altered search effort. The third 
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column gives the expected change in sieve time, calculated from the change in 
yield according to our “goodness” distribution. Hence, whilst the absolute benefit 



Table 2. Effect of varying the polynomial search time on the sieve time 



K 


change in search 
time (in MY) 


change in sieve 
time (in MY) 


0.2 


-80 


+260 


0.5 


-50 


+ 110 


1 


0 


0 


2 


+100 


-110 


5 


+400 


-260 


10 


+900 


-380 



may not have been great, it would probably have been worthwhile investing up 
to about twice the effort than we did for the RSA-155 polynomial search. We 
conclude that, in the absence of further improvements, it is worthwhile using our 
method to find polynomials whose yields are approximately 10-15 times better 
than a random selection. 

3.2 Sieving 

Two sieving methods were used simultaneously: lattice sieving and line sieving. 
This is probably more efficient than using a single sieve, despite the large per- 
centage of duplicates found (about 14%, see Section 3.3): both sievers deteriorate 
as the special q, resp. y (see below) increase, so we exploited the most fertile 
parts of both. In addition, using two sievers offers more flexibility in terms of 
memory: lattice sieving is possible on smaller machines; the line siever needs 
more memory, but discovers each relation only once. 

The lattice siever fixes a prime q, called the special q, which divides Fi{xq, yo) 
for some known nonzero pair (xo,yo), and finds (x,y) pairs for which both 
F\{x,y)/q and F 2 {x,y) are smooth. This is carried out for many special q's. 
Lattice sieving was introduced by Pollard [31] and the code we used is the 
implementation written by Arjen Lenstra and described in [18,11], with some 
additions to handle skewed sieving regions efficiently. 

The line siever fixes a value of y (from y = 1, 2, ... up to some bound) and 
finds values of a; in a given interval for which both Fi(x,y) and F^ix^y) are 
smooth. The line siever code was written by Peter Montgomery, with help from 
Arjen Lenstra, Russell Ruby, Marije Elkenbracht-Huizing and Stefania Cavallar. 

For the lattice sieving, both the rational and the algebraic factor base bounds 
were chosen to be 2^^ = 16 777 216. The number of primes was about one million 
in each factor base. Two large primes were allowed on each side in addition to the 
special q input. The reason that we used these factor base bounds is that we used 
the lattice sieving implementation from [18] which does not allow larger factor 
base bounds. That implementation was written for the factorization of RSA- 
130 and was never intended to be used for larger numbers such as RSA-140, let 
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alone RSA-155. We expect that a rewrite of the lattice siever that would allow 
larger factor base bounds would give a much better lattice sieving performance 
for RSA-155. 

Most of the line sieving was carried out with two large primes on both the 
rational and the algebraic side. The rational factor base consisted of 2 661384 
primes < 44 000 000 and the algebraic factor base consisted of 6 304167 prime 
ideals of norm < 110 000 000 (including the seven primes which divide the leading 
coefficient of Fi{x,y)). Some line sieving allowed three large primes instead of two 
on the algebraic side. In that case the rational factor base consisted of 539 777 
primes < 8 000 000 and the algebraic factor base of 1 566 598 prime ideals of norm 
< 25 000 000 (including the seven primes which divide the leading coefficient of 
Fi{x,y)). 

For both sievers the large prime bound 1 000 000 000 was used both for the 
rational and for the algebraic primes. 

The lattice siever was run for most special q’s in the interval [2^^, 3.08 x 10®]. 
Each special q has at least one root r such that /i(r) = 0 mod q. For example, 
the equation fi{x) = 0 mod q has five roots for q = 83, namely a; = 8, 21, 43, 
54, 82, but no roots for q = 31. The total number of special g-root pairs {q, r) 
in the interval [2^^, 3.08 x 10®] equals about 15. 7M. Lattice sieving ranged over 
a rectangle of 8192 by 5000 points per special g-root pair. Taking into account 
that we did not sieve over points (x, y) where both x and y are even, this gives a 
total of 4.8 X 10^^ sieving points. With lattice sieving a total of 94. 8M relations 
were generated at the expense of 26.6 years of CPU time. Averaged over all 
the CPUs on which the lattice siever was run, this gives an average of 8.8 CPU 
seconds per relation. 

For the line sieving with two large primes on both sides, sieving ranged over 
the regions®: 

Ja;] < 1 176 000 000, l<y< 25 000, 

Ja;] < 1680 000 000, 25 001 < y < 110 000, 

Ja;] < 1680 000 000, 120 001 < y < 159 000, 

and for the line sieving with three large primes instead of two on the algebraic 
side, the sieving range was: 

Ja;] < 1680 000 000, 110 001 < y < 120 000. 

Not counting the points where both x and y are even, this gives a total of 

3.82 X 10^® points sieved by the line siever. With line sieving a total of 36. OM 

relations were generated at the expense of 9.1 years of CPU time. Averaged over 
all the CPUs on which the line siever was run, it needed 8.0 CPU seconds to 
generate one relation. 

Sieving was done at twelve different locations where a total of 130. 8M rela- 
tions were generated, 94. 8M by lattice sieving and 36. OM by line sieving. Each 

® The somewhat weird choice of the line sieving intervals was made because more 
contributors chose line sieving than originally estimated. 
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incoming file was checked at the central site for duplicates: this reduced the to- 
tal number of useful incoming relations to 124. 7M. Of these, 88. 8M (71%) were 
found by the lattice siever and 35. 9M (29%) by the line siever. The breakdown of 
the 124. 7M relations (in %) among the twelve different sites^ is given in Table 3. 



Table 3. Breakdown of sieving contributions 





number of 
CPU days 
sieved 


La(ttice) 

Li(ne) 


Contributor 


20.1 


3057 


La 


Alec Muffett 


17.5 


2092 


La, Li 


Paul Leyland 


14.6 


1819 


La, Li 


Peter L. Montgomery, Stefania Cavallar 


13.6 


2222 


La, Li 


Bruce Dodson 


13.0 


1801 


La, Li 


Frangois Morain and Gerard Guillerm 


6.4 


576 


La, Li 


Joel Marchand 


5.0 


737 


La 


Arjen K. Lenstra 


4.5 


252 


Li 


Paul Zimmermann 


4.0 


366 


La 


Jeff Gilchrist 


0.65 


62 


La 


Karen Aardal 


0.56 


47 


La 


Ghris and Graig Putnam 



Calendar time for the sieving was 3.7 months. Sieving was done on about 
160 SGI and Sun workstations (175-400 MHz), on eight RIOOOO processors 
(250 MHz), on about 120 Pentium 11 PCs (300-450 MHz), and on four Digi- 
tal/Compaq boxes (500 MHz). The total amount of CPU-time spent on sieving 
was 35.7 CPU years. 

We estimate the equivalent number of MIPS years as follows. For each con- 
tributor, Table 4 gives the number of million relations generated (rounded to two 
decimals), the number of CPU days ds sieved for this and the estimated average 
speed Ss, in million instructions per seconds (MIPS), of the processors on which 
these relations were generated. In the last column we give the corresponding 
number of MIPS years dsSs/365. For the time counting on PCs, we notice that 
on PCs one usually get real times which may be higher than the CPU times. 

Summarizing gives a total of 8360 MIPS years (6570 for lattice and 1790 
for line sieving). For comparison, RSA-140 took about 2000 MIPS years and 
RSA-130 about 1000 MIPS years. 

A measure of the “quality” of the sieving may be the average number of points 
sieved to generate one relation. Table 5 gives this quantity for RSA-140 and for 
RSA-155, for the lattice siever and for the line siever. This illustrates that the 
sieving polynomials were better for RSA-155 than for RSA-140, especially for 
the line sieving. In addition, the increase of the linear factor base bound from 
500M for RSA-140 to lOOOM for RSA-155 accounts for some of the change in 
yield. For RSA-155, the factor bases were much bigger for line sieving than for 

^ Lenstra sieved at two sites, viz., Citibank and Univ. of Sydney. 
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Table 4. ^ MIPS years spent on lattice (La) and line (Li) sieving 



Contributor 


^ relations 


# CPU days 
sieved 


average speed 
of processors 
in MIPS 


# MIPS years 


Mutfett, La 


27.46M 


3057 


285 


2387 


Leyland, La 


19.27M 


1395 


300 


1146 


Leyland, Li 


4.52M 


697 


300 


573 


CWI, La 


1.60M 


167 


175 


80 


CWI, Li, 2LP 


15.64M 


1160 


210 


667 


CWI, Li, 3LP 


l.OOM 


492 


50 


67 


Dodson, La 


10.28M 


1631 


175 


782 


Dodson, Li 


7.00M 


591 


175 


283 


Morain, La 


15.83M 


1735 


210 


998 


Morain, Li 


1.09M 


66 


210 


38 


Marchand, La 


7.20M 


522 


210 


300 


Marchand, Li 


l.llM 


54 


210 


31 


Lenstra, La 


6.48M 


737 


210 


424 


Zimmermann, Li 


5.64M 


252 


195 


135 


Gilchrist, La 


5.14M 


366 


350 


361 


Aardal, La 


0.81M 


62 


300 


51 


Putnam, La 


0.76M 


47 


300 


39 



lattice sieving. This explains the increase of efficiency of the line siever compared 
with the lattice siever from RSA-140 to RSA-155. 



Table 5. Average number of points sieved per relation 





lattice siever 


line siever 


RSA-140 


1.5 X 10“ 


3.0 X 10' 


RSA-155 


5.1 X 10® 


1.1 X lO’’ 



3.3 Filtering and Finding Dependencies 

The filtering of the data and the building of the matrix were carried out at CWI 
and took one calendar month. 



Filtering. Here we describe the filter strategy which we used for RSA-155. An 
essential difference with the filter strategy used for RSA-140 is that we applied 
fc-way merges (defined below) with 2 < k < 8 for RSA-155, but only 2- and 
3-way merges for RSA-140. 

First, we give two definitions. A relation-set is one relation, or a collection of 
two or more relations generated by a merge. A k-way merge {k > 2) is the action 
of combining k relation-sets with a common prime ideal into k—1 relation-sets, 
with the purpose of eliminating that common prime ideal. This is done such that 
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the weight increase is minimal by means of a minimum spanning tree algorithm 
[9], 

Among the 124. 7M relations collected from the twelve different sites, 21. 3M 
duplicates were found generated by lattice sieving, as well as 17. 9M duplicates 
caused by the simultaneous use of the lattice and the line siever. 

During the first filter round, only prime ideals with norm > lOM were con- 
sidered. In a later stage of the filtering, this lOM-bound was reduced to 7M, 
in order to improve the possibilities for merging relations. We added 0.2M free 
relations for prime ideals of norm > lOM (cf. [16, Section 4, pp. 234-235]). From 
the resulting 85. 7M relations, 32. 5M singletons were deleted, i.e., those relations 
with a prime ideal of norm > lOM which does not occur in any other undeleted 
relation. 

We were left with 53. 2M relations containing 42. 6M different prime ideals of 
norm > lOM. If we assume that each prime and each prime ideal with norm 
< lOM occurs at least once, then we needed to reserve at least (2 — y^)7t( 10^) 
excess relations for the primes and the prime ideals of norm smaller than lOM, 
where tt(x) is the number of primes below x. The factor 2 comes from the two 
polynomials and the correction factor 1/120 takes account of the presence of free 
relations, where 120 is the order of the Galois group of the algebraic polynomial. 
With 7 t( 10^) = 664 579 the required excess is about 1.3M relations, whereas we 
had 53. 2M — 42. 6M = 10. 6M excess relations at our disposal. 

In the next merging step 33. OM relations were removed which would have 
formed the heaviest relation-sets when performing 2-way merges, reducing the 
excess from 10. 6M to about 2M relations. So we were still allowed to discard 
about 2.0M — 1.3M = 0.7M relations. The remaining 20. IM non-free relations® 
having 18.2M prime ideals of norm > lOM were used as input for the merge step 
which eliminated prime ideals occurring in up to eight different relation-sets. 
During this step we looked at prime ideals of norm > 7M. Here, our approach 
differs from what we did for RSA-140, where only primes occurring twice or 
thrice were eliminated. Applying the new filter strategy to RSA-140 would have 
resulted in a 30% smaller (3.3M instead of 4.7M columns) but only 20% heavier 
matrix than the one actually used for the factorization of RSA-140 and would 
have saved 27% on the block Lanczos run time. The k {k < 8) relations were 
combined into the lightest possible fc — 1 relation-sets and the corresponding 
prime ideal (row in the matrix) was “balanced” (i.e., all entries of the row were 
made 0). The overall effect was a reduction of the matrix size by one row and one 
column while increasing the matrix weight when fc > 2, as described below. We 
did not perform all possible merges. We limited the program to only do merges 
which caused a weight increase of at most 7 original relations. The merges were 
done in ascending order of weight increase. 

Since each fc-way merge causes an increase of the matrix weight of about 
(fc — 2) times the weight of the lightest relation-set, these merges were not al- 
ways executed for higher values of fc. For example, 7- and 8- way merges were not 

® The O.IM free relations are not counted in these 20. IM relations because the free 
relations are generated during each filter run. 
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executed if all the relation-sets were already-combined relations. We decided to 
discard relation-sets which contained more than 9 relations and to stop merging 
(and discarding) after 670K relations were discarded. At this point we should 
have slightly more columns than rows and did not want to lose any more columns. 
The maximum discard threshold was reached during the 10th pass through the 
18.6M prime ideals of norm > 7M, when we allowed the maximum weight in- 
crease to be about 6 relations. This means that no merges with weight increase 
of 7 relations were executed. The filter program stopped with 6.7M relation sets. 
For more details and experiments with RSA-155 and other numbers, see [9]. 

Finding Dependencies. From the matrix left after the filter step we omitted 
the small primes < 40, thus reducing the weight by 15%. The resulting matrix 
had 6 699191 rows, 6 711336 columns, and weight 417132 631 (62.27 non-zeros 
per row). With the help of Peter Montgomery’s Cray implementation of the 
block Lanczos algorithm (cf. [25]) it took 224 CPU hours and 2 Gbytes of central 
memory on the Cray C916 at the SARA Amsterdam Academic Computer Center 
to find 64 dependencies among the rows of this matrix. Calendar time for this 
job was 9.5 days. 

In order to extract from these 64 dependencies some dependencies for the ma- 
trix including the primes < 40, quadratic character checks were used as described 
in [1], [7, §8, §12.7], and [15, last paragraph of Section 3.8 on pp. 30-31]. This 
yielded a dense 100 x 64 homogeneous system which was solved by Gaussian 
elimination. That system turned out to have 14 independent solutions, which 
represent linear combinations of the original 64 dependencies. 

3.4 The Square Root Step 

On August 20, 1999, four different square root (cf. [24]) jobs were started in par- 
allel on four different 300 MHz processors of an SGI Origin 2000, each handling 
one dependency. One job found the factorization after 39.4 CPU-hours, the other 
three jobs found the trivial factorization after 38.3, 41.9, and 61.6 CPU-hours 
(different CPU times are due to the use of different parameters in the four jobs). 
We found that the 155-digit number 

RSA-155 = 

109417386415705274218097073220403576120037329454492059909138421314763499842889\ 

34784717997257891267332497625752899781833797076537244027146743531593354333897 

can be written as the product of two 78-digit primes: 

P = 

102639592829741105772054196573991675900716567808038066803341933521790711307779 



and 
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Q = 

106603488380168454820927220360012878679207958575989291522270608237193062808643. 

Primality of the factors was proved with the help of two different primality 
proving codes [4,10]. The factorizations of p ± 1 and 9 ± 1 are given by 

p - 1 = 2 • 607- 

•305999 • 276297036357806107796483997979900139708537040550885894355659143575473 
p + 1 = 2^ • 3 • 5- 

•5253077241827 • 325649100849833342436871870477394634879398067295372095291531269 
q - 1 = 2- 241- 

•430028152261281581326171 • 514312985943800777534375166399250129284222855975011 
q + 1 = 2^ • 3 • 130637011- 

•237126941204057- 10200242155298917871797- 28114641748343531603533667478173 
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A Details of Recent Absolute and SNFS Factoring 
Records 



Table 6. Absolute factoring records 



# digits 
method 
code 


129 130 140 155 

QS GNFS GNFS GNFS 

Gardner RSA-130 RSA-140 RSA-155 


factor date 


Apr 2, 


Apr 10, 


Feb 2, 


Aug 22, 




1994 


1996 


1999 


1999 


size of p, q 


64, 65 


65, 65 


70, 70 


78, 78 


sieve time 


5000 


1000 


2000 


8400 


(in MIPS years) 


total sieve time 


? 


? 


8.9 


35.7 


(in CPU years) 


calendar time 


~270 


120 


30 


110 


for sieving (in days) 


matrix size 


0.6M 


3.5M 


4.7M 


6.7M 


row weight 


47 


40 


32 


62 


Cray CPU hours 


n.a. 


67 


100 


224 


group 


Internet 


Internet 


CABAL 


CABAL 



Table 7. Special Number Field Sieve factoring records 



# digits 


148120J 


167 


180 


186 


211 


code 


2,512+ 


3,349- 


12,167+ 


NEC 


10,211- 


factor date 


Jun 15, 


Feb 4, 


Sep 3, 


Sep 15, 


April 8, 




1990 


1997 


1997 


1998 


1999 


size of p, q 


49, 99 


80, 87 


75, 105 


71, 73 


93, 118 


total sieve time 


340“ 


7 


1.5 


5.1 


10.9 


(in CPU years) 












calendar time 


83 


? 


10 


42 


64 


for sieving (in days) 












matrix size 


72K 


7 


1.9M 


2.5M 


4.8M 


row weight 


dense 


7 


29 


27 


49 


Cray CPU hours 


3'’ 


7 


16 


25 


121 


group 


Internet NPSNET 


CWI 


CWI 


CABAL 



“ MIPS years 

^ carried out on a Connection Machine 
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Abstract. We present an index-calculus algorithm for the computation 
of discrete logarithms in the Jacobian of hyperelliptic curves defined 
over finite fields. The complexity predicts that it is faster than the Rho 
method for genus greater than 4. To demonstrate the efficiency of our 
approach, we describe our breaking of a cryptosystem based on a curve 
of genus 6 recently proposed by Koblitz. 



1 Introduction 

The use of hyperelliptic curves in public-key cryptography was first proposed by 
Koblitz in 1989 [24]. It appears as an alternative to the use of elliptic curves [23] 
[31], with the advantage that it uses a smaller base field for the same level of 
security. Several authors have given ways to build hyperelliptic cryptosystems 
efficiently. The security of such systems relies on the difficulty of solving the 
discrete logarithm problem in the Jacobian of hyperelliptic curves. If an algo- 
rithm tries to solve this problem performing “simple” group operations only, it 
was shown by Shoup [39] that the complexity is at least where n is the 

largest prime dividing the order of the group. Algorithms with such a complex- 
ity exist for generic groups and can be applied to hyperelliptic curves, but are 
still exponential. The Pollard Rho method and its parallel variants are the most 
important examples [34], [46], [17]. 

For the elliptic curve discrete logarithm problem, there are some particular 
cases where a solution can be found with a complexity better than 0{^/n). See 
[30], [38], [40], [37]. Similar cases were discovered for hyperelliptic curves [14], 
[35] . However they are very particular and can be easily avoided when designing 
a cryptosystem. 

In 1994, Adleman, DeMarrais and Huang [1] published the first algorithm 
(ADH for short) to compute discrete logs which runs in subexponential time 
when the genus is sufficiently large compared to the size of the ground field. 
This algorithm was rather theoretical, and some improvements to it were done. 
Flassenberg and Paulus [13] implemented a sieve version of this algorithm, but 
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the consequences for cryptographical applications is not clear. Enge [11] im- 
proved the original algorithm and gave a precise evaluation of the running time, 
but did not implement his ideas. Muller, Stein and Thiel [32] extended the re- 
sults to the real quadratic congruence function fields. Smart and Galbraith [16] 
also gave some ideas in the context of the Weil descent, following ideas of Frey; 
they dealt with general curves (not hyperelliptic). 

Our purpose is to present a variant of existing index-calculus algorithms like 
ADH or Hafner-McCurley [19], which allowed us to break a cryptosystem based 
on a curve of genus 6 recently proposed by Koblitz. The main improvement 
is due to the fact that the costly HNF computation in classical algorithms is 
replaced by that of the kernel of a sparse matrix. A drawback is that we have 
to assume that the order of the group in which we are working is known. This 
is not a constraint in a cryptographical context, because the knowledge of this 
order is preferable to build protocols. But from a theoretical point of view it 
differs from ADH or Hafner-McCurley algorithm where the order of the group 
was a byproduct of the discrete logarithm computation (in fact the aim of the 
HNF computation was to find the group structure). 

We will analyse our method for small genus and show that it is faster than 
the Pollard Rho method as soon as the genus is strictly greater than 4. Indeed its 
complexity is 0( where is the cardinality of the base field. We will explain 
below some consequences for the choice of the parameters, curve and base field, 
when building a cryptosystem. 

Moreover, the presence of an automorphism of order m on the curve can be 
used to speed up the computation, just as in the Rho method [9] [17] [48]. This 
is the case in almost all the examples in the literature. The gain in the Rho 
method is a factor y/m, but the gain obtained here is a factor , which is very 
significant in practice. 

The organization of the paper is as follows: in section 2 after some generalities 
on hyperelliptic curves, our algorithm is described. It is analyzed in section 3, 
and in section 4 we explain how the presence of an automorphism can help. 
Finally the section 5 gives some details on our implementation and the results 
of our experiments with Koblitz’s curve. 



2 Description of the Algorithm 

2.1 Hyperelliptic Curves 

We give an overview of the theory of hyperelliptic curves. More precise state- 
ments can be found in [24], [4], [15]. We will restrict ourselves to the so-called 
imaginary quadratic case. 

A hyperelliptic curve C of genus over a field K is a smooth plane projective 
curve which admits an affine equation of the form ‘^ + ( ) = /( ), where / is 
a polynomial of degree 2 -|- 1, and is a polynomial of degree at most , both 
with coefficients in K. 

A divisor on the curve C is a finite formal sum of points of the curve. The 
set of all divisors yield an abelian group denoted by iv(C). For each divisor 
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= i G iv{C), where the i are points on the curve, we define the degree 

of by deg( ) = The set of all divisors of degree zero is a sub-group of 

iv(C) denoted by iv°(C). 

For each function ( ) on the curve, we can define a divisor denoted by 

div( ) by assigning at each point i of the curve the value rii equal to the 
multiplicity of the zero if ( i) = 0, or the opposite of the multiplicity of the 
pole if the function is not defined at j. It can be shown that the sum is finite, 
and moreover that the degree of such a divisor is always zero. The set of all 
divisors built from a function a subgroup of iv^(C) denoted by V(C) and we 
call these divisors principal. The Jacobian of the curve C is then defined by the 
quotient group J (C) = iv{CY /V{C). 

If the base field of the curve is a finite field with cardinality , then the 
Jacobian of the curve is a finite abelian group of order around The Hasse-Weil 
bound gives a precise interval for this order: (y^— 1)^® < (C) < 1)^®. 

In [4], Cantor gave an efficient algorithm for the computation of the group 
law. We do not recall his method, but we recall the representation of the elements. 



Proposition 1 In every class of divisors in J (C), there exists an unique divi- 
sor = --I- g— oo , such that for all i ^ i and j are not symmetric 

points. Such a divisor is called reduced, and there is a unique representation of 
by two polynomials [u v], such that degw degu < , and u divides v'^ v — f. 

In this representation, the roots of the polynomial u are exactly the abscissae 
of the points which occur in the reduced divisor. 

The group J (C) can now be used in cryptographical protocols based on the 
discrete logarithm problem, for example Diffie-Hellman or ElGamal’s protocols. 
The security relies on the difficulty of the following problem. 

Definition 1 The hyperelliptic discrete logarithm problem takes on input a 
hyperelliptic curve of given genus, an element i of the Jacobian, its order n, 
and another element 2 in the subgroup generated by 1 . The problem is to find 
an integer A modulo n such that 2 = A. 1 . 



2.2 Smooth Divisors 

Like any index-calculus method, our algorithm is based on the notions of smooth- 
ness, and prime elements. We will recall these notions for divisors on hyperelliptic 
curves, which were first defined in ADH. 

Definition 2 With the polynomial representation = [u v], a divisor will be 
said to be prime if the polynomial u is irreducible over F^. 

For a prime divisor , when there is no possible confusion with the degree of 
as a divisor (which is always zero), we will talk about the degree of instead 
of the degree of u. 
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Proposition 2 A divisor of J (C) represented by the polynomials [u w] is 
equal to the sum of prime divisors [ui Vi] , where the Ui are the prime factors of 
u. 



Now we can give the smoothness definition. Let S be an integer called the 
smoothness bound. 

Definition 3 A divisor is said to he S'-smooth if all its prime divisors are of 
degree at most S. When S = 1, a 1-smooth divisor will be a divisor for which 
the polynomial u splits completely over F^. 

The case S' = 1 is the most important for two reasons: the first one is that for 
a relatively small genus (say at most 9), and a reasonable field size, this choice is 
the best in practice. The second one is that if we want to analyze our algorithm 
for a fixed and a tending to infinity, this is also the good choice. 

The definition of a smooth divisor can be seen directly on the expression of 
as a sum of points of the curve. Note that a divisor defined over is defined 
by being invariant under the Galois action. But it does not imply that the points 
occuring in it are defined over F^; they can be exchanged by Galois. Hence an 
equivalent definition of smoothness is given by the following proposition. 

Proposition 3 A divisor = i + -- -+ g — oo is S-smooth if and only if 
each point i is defined over an extension F^t with k < S. 

We define also a factor basis, similar to the one used for classical discrete log 
problem over F*. 

Definition 4 The factor basis, denoted by s> is the set of all the prime divisors 
of degree at most S. For S = 1 we simply write 

In the following, we will always take 5=1 and we will say ‘smooth divisor’ 
for 1-smooth divisor. 



2.3 Overview of the Algorithm 

For the sake of simplicity, we will suppose that the Jacobian of the curve has 
an order which is almost prime and that we have to compute a discrete log in 
the subgroup of large prime order (this is always the case in cryptography) . Let 
n = ord( i) be this prime order, and 2 be the element for which we search 
the log. 

We introduce a pseudo-random walk (as in [45]) in the subgroup generated 
by 1 : Let 0 = Q^o 1 + 0 2 be the starting point of the walk, where 0 is 
the reduced divisor obtained by Gantor’s algorithm, and ao and 0 sxe random 
integers. For from 1 to , we compute random divisors -|- A) 2 . 

The walk will then be given by i+i = i+ where is a hash function 

from the subgroup generated by 1 to the interval [1 ]. This hash function is 
assumed to have good statistical properties; in practice, it can be given by the 
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last bits in the internal representation of the divisors. Once the initialization is 
finished, we can compute a new pseudo-random element at the cost of one 
addition in the Jacobian. Moreover at each step we get a representation of 
as «i+i 1 + i+i 2 , where «i+i and i+i are integers modulo n. 

The classical method is to wait for a collision which will yield 

the discrete logarithm A = — (oi ^ — ai^ )/{ , ^ — i^) mod n. We can however make 
use of the smooth divisors. For each j of the random walk, test its smoothness. 
If it is smooth, express it on the factor basis, else throw it away. Thus we extract 
a subsequence of the sequence ( i) where all the divisors are smooth. We denote 
also by ( i) this subsequence. Hence we can put the result of this computation 
in a matrix , each column representing an element of the factor basis, and 
each row being a reduced divisor i expressed on the basis: for a row i, we have 
i = fc, where = (rriik)- We collect -I- 1 rows in order to have 

a ( -|- 1) X matrix. Thus the kernel of the transpose of is of dimension 

at least 1. Using linear algebra, we find a non-zero vector of this kernel, which 
corresponds to a relation between the i’s. Then we have a family (y,) such that 
i = 0- Going back to the expression of i in function of i and 2 , we 
get: Z)i7i(ai 1 + i 2 ) = 0, and then 

Ei 7i i 

The discrete logarithm is now found with high probability (the denominator is 
zero with probability 1/n). 

We summarize this algorithm in the figure 1. 



2.4 Details on Critical Phases 

In the first step, we have to build the factor basis, and for that, we have to find, 
if it exists, a polynomial v corresponding to a given irreducible u. This can be 
rewritten in solving an equation of degree 2 over F^, which can be done quickly. 

The initialization of the random walk is only a matter of operations in the 
group; after that, computing each random divisor j requires a single operation 
in the group. 

One crucial point is to test the smoothness of a divisor, i.e. to decide if a 
polynomial of degree (the u of the divisor) splits completely on F^. A way to 
do that is to perform the beginning of the factorization of u, which is called DDF 
(stands for distinct degree factorization). By computing gcd( u{ )), we 

get the product of all the prime factors of u of degree 1. Thus if the degree of 
this product is equal to the degree of u, it proves that u splits completely on F, . 

In the case where a smooth divisor is detected, the factorization can be 
completed, or a trial division with the elements of the basis can be performed. 

The linear algebra is the last crucial point. The matrix obtained is sparse, 
and we have at most terms in each row. Then sparse technique like Lanczos’s 
[27] or Wiedemann’s [47] algorithm can be used, in order to get a solution in 
time quadratic in the number of rows (instead of cubic by Gaussian elimination) . 
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Input: A divisor Di of a curve of genus g over Fq, of prime order n — 
ord(Di), a divisor D 2 G {Di), and a parameter r. 

Output: An integer A such that D 2 ~ XD\. 

1. /* Build the factor basis G */ 

For each monic irreducible polynomial m over Fq of degree 1 , try to find 
Vi such that [ui, Vi] is a divisor of the curve. If there is a solution, store 
Qi = [ui,Vi] in G (we only put one of the two opposite divisors in the 
basis). 

2. /* Initialization of the random walk */ 

For j from 1 to r, select and at random in [l..n], and compute 
tU) ■- qO'IDi + P^^'>D2. 

Select ao and f3o at random in [l..n] and compute Ro := aoDi + PqD 2 - 
Set k to 1. 

3. /* Main loop */ 

(a) /* Look for a smooth divisor */ 

Compute j := H{Ro), Ro ■= Ro +T^^\ Qo ’■= Qo + mod n, and 
(3o '■= (3o + mod n. 

Repeat this step until Ro = [uo)^), ^ 0 ( 2 :)] is a smooth divisor. 

(b) /* Express Ro on the basis G * / 

Factor uo(z) over Fq, and determine the positions of the factors in 
the basis G. Store the result as a row Rk = '^rtiikgi of a matrix 
M = (mifc). 

Store the coefficients ak = ao and Pk = Po- 

If fc < + 1, then set k := k + 1, and return to step 3. a. 

4. /* Linear algebra */ 

Find a non zero vector ( 7 ^) of the kernel of the transpose of the matrix 
M. The computation can be done in the field TLjn/L. 

5. /* Solution * j 

Return A = —(^ak^k)/(^Pk^k) mod n. (If the denominator is zero, 
return to step 2 .) 



Fig. 1. Discrete log algorithm 



Some other optimizations can be done to speed up the computation. They 
will be described in section 5. 

3 Analysis 

3.1 Probability for a Divisor to Be Smooth 

The following proposition gives the proportion of smooth divisors and then the 
probability of smoothness in a random walk. This is a key tool for the complexity 
analysis. 
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Proposition 4 The proportion of smooth divisors in the Jacobian of a curve of 
genus over tends to 1/ \ when tends to infinity. 

Proof: This proposition is based on the Hasse-Weil bound for algebraic curves: 
the number of points of a curve of genus over a finite field with elements is 
equal to + 1 with an error of at most 2 i.e. for large enough we can neglect 
it. Moreover the cardinality of its Jacobian is equal to ® with an error bounded 
by approximatively 2 ^ . Here the approximation holds when is sufficiently 

large compared to 4 which is the case in the applications considered. 

To evaluate the proportion of smooth divisors, we consider the number of 
points of the curve over which is approximatively . Now, the smooth divisors 
of the Jacobian are in bijection with the -multiset of points of the curve: we 
have ! smooth divisors, and the searched proportion is 1/ !. □ 



3.2 Complexity 

The complexity of the algorithm will be exponential in the size of , so we will 
count the number of operations which can be done in polynomial time. These 
operations are of four types: we denote by j the cost of a group operation in 
the Jacobian, q the cost of an operation in the base field, q^g the cost of an 
operation on polynomials of degree over the base field, and „ the cost of an 
operation in Z/nZ, where n « ® is the order of the Jacobian. We consider the 
enumeration of steps in figure 1. 

Step 1. For the building of the factor basis, we have to perform times (i.e. the 
number of monic irreducible polynomial of degree 1) a resolution of an equation 
of degree 2 over F^. Hence the complexity of this phase is 0{ q). 

Step 2. The initialization of the random walk is only a polynomial number of 
simple operations. Hence we have 0((logn) j) for this step. 

Step 3. We have to repeat # = 0{ ) times the steps 3. a. and 3.b. 

Step 3. a. The computation of a new element of the random walk costs an addi- 
tion in the Jacobian and two additions modulo n, and the test for its smoothness 
costs a first step of DDF. By proposition 4, we have to compute ! divisors on 
average before getting a smooth one and going away from step 3. a. Hence the 
cost of this step is 0( !( j + n+ q,g))- 

Step 3.b. The final splitting of the polynomial in order to express the divisor 
on the factor basis can not be proved to be deterministic polynomial (though 
it is very fast in practice). For the analysis, we can then suppose that we do a 
trial division with all the elements of the basis. This leads to a complexity of 

0( q.g)- 

Hence the complexity of step 3. is 0( !( j J- n + q,g)) + 0( ^ q,g). 

Step 4. This linear algebra step consists in finding a vector of the kernel in 
a sparse matrix of size 0{ ), and of weight 0{ ); the coefficient are in Z/nZ. 

Hence Lanczos’s algorithm provides a solution with cost 0( ^ „). 
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Step 5. This last step requires only 0{ ) multiplications modulo n, and one 
inversion. Hence the complexity is 0( „). 

Finally, the overall complexity of the algorithm is 0( ! j)+0(( ! + ^)( „+ 

q,g)) + 0{ q). Now, by Cantor’s algorithm j is polynomial in log , and clas- 

sical algorithm on finite fields and polynomials give „ polynomial in n = log , 
q polynomial in log and q^g polynomial in log . Hence all these operations 
can be done in time bounded by a polynomial in log . 

Theorem 1 The algorithm requires 0( '^ + ! ) polynomial time operations in 
log and if one considers a fixed genus , the algorithm takes time 0{ ^ log^ ). 

4 Using Automorphisms on the Curve 

4.1 Curves with Automorphisms in the Literature 

When buiding a cryptosystem based on a hyperelliptic curve, it is preferable 
to know the order of the Jacobian of this curve. Indeed, some protocols use the 
group order; moreover it is necessary to be sure that it is not smooth. For elliptic 
curves, the Schoof-Elkies- Atkin algorithm allows to compute quickly this order 
for random curves (see [29] [28] [22] ). For random hyperelliptic curves, a similar 
polynomial time algorithm exists [33] , however it is still unusable in practice (see 
recent progress on this subject [21] [43]). That is the reason why the curves that 
we can find in the literature are very particular: they are built in such a way 
that the order of their Jacobian is easy to compute. 

A first way to build such curves is to take a curve defined over a small finite 
field Fq. It is then possible to deduce the Zeta function (and hence the order) 
of the Jacobian on the large field F^n from the Zeta function of the Jacobian 
on the small field. This construction provides then the so-called Frobenius au- 
tomorphism defined by which can be applied to each coordinate of a 

point of the curve and gives therefore an automorphism of order n. 

Another construction, which is a bit harder than the previous (see [42] [7] 
[3], comes from the theory of complex multiplication. This theory allows to 
build a curve starting from its ring of endomorphisms. In some cases, this ring 
contains units of finite order, and then there is an automorphism on the curve 
corresponding to this unit. 

In table 1 we give some examples of curves found in the literature with non 
trivial automorphisms, and the order obtained by combining them together with 
the hyperelliptic involution. 



4.2 Reducing the Factor Basis with an Automorphism 

In the context of the Pollard’s rho algorithm, the existence of an automorphism 
of order m that can be quickly evaluated can be used to divide the expected 
running time by a factor \/rn, see [9]. With our algorithm, the automorphism 
can be used to reduce the basis and leads to a speed-up by a factor mf, which 
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Table 1. Examples of curves 



Author 


Equation of curve 


Field 


Automorphisms 


Order 


Koblitz [24], [25] 


+ Y = + X 

•y'2 _|_ y ^2g + l 


F 2 U, 

F 2 U, 


Frobenius 

Frobenius 


2n 

2n 


Buhler Koblitz [3] 
Chao et al. [7] 


_|_ y _ 

(and twists) 


Fp with 
p = l(2g+l) 


mult by C 2 g+l 


2(2g+ 1) 


Sakai Sakurai [36] 
Smart [41] 


Y^ + Y = + X“ + 

X® + X® + 1 


F 229 


Fiobcnius and 
( X ^ X-\-l 
J Y Y + X® + X® 

1 + X^ + X^ + X^ 


4 X 29 


Duursma Sakurai [10] 


Y^ = xr - X + 1 


Fpn 


Frobenius and 
( X ^ X + l 
\ y 1 -^ y 


2np 



can be very significant in practice. Moreover, the automorphism does not need 
to be so quickly evaluated as in the rho method. A polynomial time evaluation 
is enough. 

The idea is to keep in the factor basis one representative for each orbit under 
the action of the automorphism. Thus the size of the basis is reduced by a factor 
m, so the necessary number of relations is reduced by the same factor, and the 
linear algebra phase is speeded up by a factor m^. Let us explain how it works. 

For the moment, assume that the Jacobian is cyclic of prime order n = 
ord( i), and denote by an automorphism of order m on C extended by linearity 
to an automorphism of J (C). Then ( i) belongs to J (C) = ( i), and 
there exists an integer such that ( i) = i. Moreover, being a group 

automorphism, for all € J (C), = k \ and we have ( )= {k i) = 

k { i) = k 1 = 

Suppose now that we have only kept in the basis one element for each orbit 
under . Let = i+ 2 + ■ ■ ■ + k = ex 1 + 2 be the decomposition of a 

smooth divisor into prime divisors of degree 1 . For each i, there is a power of 
such that the prime divisor j is equal to ^*( i), where i is an element of the 
reduced factor basis. Then we can write = ( 1 ) + • • • + ( k), and we have 

a relation in a matrix with m times less columns than the original one. 

For the general case where the Jacobian is not cyclic and where we work in a 
subgroup of prime order n, we have to work a little to justify the computations, 
but in practice we do essentially the same. 



5 Implementation and Results 

We have implemented the algorithm in two distinct parts. The first one deals 
with the building of the matrix and is written in the computer algebra system 
Magma [2], which is a very good compromise between high level programming 
and efficiency. The second part is our optimized implementation of the Lanezos 
algorithm written in C. 
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5.1 Implementation of the Search for Relations 

This part of the implementation was not optimized: it can be done in parallel 
and it is not the limiting phase. However an interesting optimization suggested 
by Frangois Morain has been tested. It is based on a paper by Swan [44], where 
a theorem is given which relates the parity of the number of irreducible factors 
of a polynomial over a finite field and the fact that its discriminant is a square 
or not in the corresponding local field. In the context of smoothness testing, a 
first computation can be done that tests if the discriminant is a square, and then 
in half the cases we know that the polynomial cannot split completely and we 
reject it. If the first test is passed, we do the classical smoothness test by DDF. 

This technique provides a gain if and only if Swan’s test costs less than half 
the time of the classical one. In odd characteristic, this is always the case (for 
large ), but in characteristic 2, the running time estimation is harder because 
some computations have to be done over an extension of Z/8Z and no package 
exists that provides optimized code for this ring. Note that the complications 
for the even characteristic is not surprising because in the finite field F 2 « every 
element is a quadratic residue and it is not simple to have a practical translation 
of Swan’s theorem . 

In our implementation, the use of Swan’s theorem gave us a speed-up of 30 
to 40% for the smoothness test in odd characteristic, but no improvement for 
characteristic 2. 

5.2 Implementation of the Linear Algebra 

A critical step in the algorithm is the search of a vector in the kernel of a sparse 
matrix. We chose Lanczos’s algorithm in preference to Wiedemann’s, because it 
needs only 2n products of the matrix by a vector, to be compared to 3n with 
Wiedemann’s technique. The drawback is a non negligible amount of time spent 
in computing some scalar products. We refer to [27] for a precise comparison of 
these two algorithms. 

We wrote our program in the C language, using the ZEN library [6] for 
things which were not critical (i.e. operations that are called a linear number 
of times), and for others (i.e. operations in the matrix- vector multiplication and 
scalar products), we used direct calls to some assembly routines taken from the 
GMP [18] and BigNum [20] packages. Indeed our compact representation of the 
matrix led to an overcost when using the ZEN functions. We used a classical 
representation (we could probably obtain a better efficiency with Montgomery 
representation), with the lazy reduction technique explained in [8]. 

Before running Lanczos’s algorithm, a preprocessing can be done on the ma- 
trix (see [8] [5]). This filtering step (also called structured Gaussian elimination) 
consists in the following tasks: 

— Delete the empty columns. 

— Delete the columns with exactly one term and the corresponding row. 

— If the number of rows is greater than the number of columns plus one, delete 
one row (randomly chosen, or via an heuristic method). 
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— Try the beginning of a Gaussian elimination, where the pivot is chosen as to 
minimize the augmentation of the weight of the matrix, and stopping when 
it increases the cost of Lanczos’s algorithm. 

For the examples below, we have run only the first three tasks, our implementa- 
tion of the last one being unsatisfactory. Therefore there is still some place for 
further optimizations. 

5.3 Timings for Real Life Curves 

The first example is a cryptosystem recently proposed by Buhler and Koblitz 
[3]. We took the values recommended by Koblitz in his book [26], i.e. we have 
worked on the curve ‘^ + = with a prime base field of order greater 

than 5 000 000, with = 1 mod 13. This curve has an automorphism of order 
13 coming from complex multiplication, which helps in the computation of the 
order of the Jacobian, but helps also our attack. 

The following table gives precise information on that curve. 



field 


IF5026243 


equation 


'2, _j_ 


genus 


6 


#j 


13^ X 7345240503856807663632202049344834001 « 10^^' 



We give the measured timings for the computation of a discrete logarithm in 
the following table. These timings are on a Pentium II 450 MHz with 128 Mb. 
During the Lanczos’s step (the most space consuming part of the algorithm), 
the memory used was around 60Mb. 



cardinal of factor basis 


193 485 


time for building the basis 


1638 sec 


number of random steps 


201 426 284 


number of early abort by Swan 


100 721 873 


number of relations collected 


281 200 


proportion of smooths ( !) 


716.3 (720) 


total time for collecting the relations 


513 870 sec = 6 days 


time for writing relations on the basis 


8 822 sec 


time for preprocessing the matrix 


1218 sec 


size of the matrix 


165 778 X 165 779 


total time for Lanczos 


780 268 sec = 9 days 



Our algorithm is not dependent on the characteristic of the base field. We 
have tested our implementation on a genus 6 curve over F223. This curve was 
obtained by extending the scalars of a curve defined over F2. Therefore the 
Frobenius automorphism can be used for accelerating the attack. The size of the 
Jacobian is around 10^^. Such a curve is not breakable by a parallel collision 
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search based on the birthday paradox (variants of Rho); indeed even using the 
automorphism, we should compute about 2®^ operations in the Jacobian. 

We give the same indications as for the previous curve. 



field 


F 223 


equation 


^ + ( +1) = “+ '+ ">+ +1 


genus 


6 


*j 


2^ X 7 X 6225718452117034383550124899048999495177 « 10^^ 



cardinal of factor basis 


182 462 


time for building the basis 


6575 sec 


number of random steps 


165 732 450 


number of relations collected 


231 000 


proportion of smooths ( !) 


717.5 (720) 


total time for collecting the relations 


797 073 sec = 9 days 


time for writing relations on the basis 


12 057 sec 


time for preprocessing the matrix 


880 sec 


size of the matrix 


162 873 X 162 874 


total time for Lanczos 


1 038 534 sec = 12 days 



6 Conclusion 

We have proposed an algorithm for the hyperelliptic discrete log problem, which 
is simpler to implement and to analyze than the previous ones. It is specially 
well suited for practical cryptosystems where the genus is not too large (say less 
than 9), and the base field is relatively small. Indeed the expected running time 
is 0( for curves of small genus and therefore it is faster than Pollard Rho as 
soon as the genus is greater than 4, as explained in the following table: 





1 


2 


3 


4 


5 


6 


7 


Rho 


1/2 




~TJ2 




5/2 


3 


7/2 


Index 


1 




■1 




1 


3 


1 



Practical experiments have shown that this algorithm is efficient in practice, 
and a genus 6 example was broken by this technique. Hence it seems that there 
is no point in using hyperelliptic cryptosystem with genus other than 2, 3 or 4, 
because for a higher genus, the size of the key has to be chosen larger in order to 
guarantee a given level of security. Indeed, assume that we want to have a key 
of size 2^®°, i.e. a group of order « 2^®°, then we have to choose log « 160. 
Increasing implies decreasing log and helps the attack. Hence one of the 
interests of the use of hyperelliptic curves, which was to decrease the size of 
(for example to avoid multiprecision) becomes a weakness. 

The special case of genus 4 has to be further studied. In a first approximation 
the complexity of Rho and our algorithm seem similar, but one trick can be 
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played. We can decide to keep only a fraction of the divisors in the factor basis. 
Assume that we reduce the basis by a factor n. Then the probability to get a 
good divisor in the random walk is reduced by a factor n®, and the cost of the 
first phase of the algorithm increases by a factor whereas the linear algebra 
is reduced by a factor v? . In this context, Robert Harley pointed out to us that 
if we assume that the factorization of polynomials can be done in polynomial 
time (true in practice), we can balance both phases and choose n in order to 
get an overall complexity of 0( sTt), Por = 4, it becomes 0{ which is 
better than the complexity of the Rho method. We are going to do practical 
comparisons between the two approaches in a near future. 

From a theoretical point of view, we can also analyse our algorithm in the 
same model as for ADH algorithm, i.e. we assume that the genus grows with 
and is always large enough. More precisely, if we have log , we can let 
vary the smoothness bound S (instead of have it fixed to one), and we obtain a 
subexponential algorithm with expected running time 99 [1/2 -\/2]. This result 
is part of a work with Andreas Enge, where a general framework for this kind 
of attack is given [12]. 
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Abstract. We describe an enhanced version of the TWINKLE factoring 
device and analyse to what extent it can be expected to speed up the 
sieving step of the Quadratic Sieve and Number Field Sieve factoring al- 
gorithms. The bottom line of our analysis is that the TWINKLE-assisted 
factorization of 768-bit numbers is difficult but doable in about 9 months 
(including the sieving and matrix parts) by a large organization which 
can use 80,000 standard Pentium II PC’s and 5,000 TWINKLE devices. 

1 Introduction 

The TWINKLE device is an optoelectronic device which is designed to speed up 
the sieving operation in the Quadratic Sieve (QS) and Number Field Sieve (NFS) 
integer factoring algorithms by using arrays of light emitting diodes (LED’s) 
which blink at various rates (cf. [7]). The main purpose of this paper is to carry 
out a detailed and realistic analysis of the expected behavior of a TWINKLE- 
assisted factoring attempt on inputs whose binary sizes are 384, 512, and 768 
bits. In particular, we describe the optimal choice of the many parameters in- 
volved in such factoring attempts, and identify several areas in which the orig- 
inal TWINKLE design leads to computational bottlenecks. We then propose 
enhanced hardware and algorithmic designs which eliminate these bottlenecks, 
and make such factorizations more feasible. 

This paper is organized as follows. In Section 2 we briefly review the origi- 
nal TWINKLE design from [7]. In Section 3 we discuss the applicability of the 
original TWINKLE design to 384-bit numbers using the QS algorithm. In the 
remainder of the paper we concentrate on how TWINKLE may be used for the 
sieving step of the NFS for the factorization of 512-bit and 768-bit numbers. 
In Section 4 we briefly sketch the required NFS background, and in Section 5 
we discuss the sieving step of the NFS in more detail. In Section 6 we present a 
number of hardware enhancements of the TWINKLE device. In Section 7 we de- 
scribe how the NFS sieving step may be carried out on the modified TWINKLE 
device and we analyse its running time. In Section 8 we address the question 
what it is about TWINKLE that makes LED’s necessary and comment upon the 
proposals to build a TWINKLE-like device using ordinary electronic circuitry. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 35-52, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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All PC running times referred to in this paper are actual measurements rather 
than asymptotic or conjectured running times. They are based on optimized 
implementations of the various algorithms on a 450MHz Pentium II PC with 
192 megabytes of RAM. However, the TWINKLE device itself has not been 
built so far, and thus its feasibility, performance, and cost are open to debate. 

2 The Original TWINKLE Design 

We recall the basics of the TWINKLE device as described in [7] . The most time 
consuming step of most modern factoring algorithm is the ‘sieving step’: for 
many pairs of integers (p, r) in succession add an approximation of log(p) to 
location r + fcp of a sieve interval (initialized as zeros) for all integers k such 
that r + kp is in the interval, and report all j for which location j exceeds a 
certain threshold. Standard implementations use space (memory) to represent 
the interval, and time (clock cycles) to loop over the (p, r) pairs. The TWINKLE 
device reverses the roles of space and time: it uses space to represent the (p, r) 
pairs, and time to loop over the sieve interval. This goes as follows. 

The TWINKLE device is a cylinder of 6 inch diameter and 10 inch height. 
The bottom consists of a single wafer of GaAs, containing one ‘cell’ for each 
different p. Each cell contains an LED, a photodetector, an A register repre- 
senting the value of p, for each r corresponding to that p a B register initially 
loaded with a representation of r, and wiring. The top of the cylinder contains 
a summing photodetector that measures the total light intensity emitted by the 
bottom LED’s and a clocking LED that distributes the clock signal by flashing 
at a flxed clock rate. As clock signal j is received by a cell’s photodetector, the 
values of the B registers are decremented by one, if a resulting value represents 
zero the cell’s LED flashes with intensity proportional to log(p), and the A reg- 
ister is copied to the B register representing zero. If the total light intensity 
detected by the top photodetector exceeds a certain threshold the value of j is 
reported. Further details of the original TWINKLE design, such as how integers 
are represented and decremented and how the optical delays are handled, can 
be found in [7] . 

The bottom wafer as proposed in [7] contains 10® cells with one A and two 
B registers each, and is clocked at 10 GHz. Since it takes a single clock cycle 
to sum the values corresponding to a sieve location and to report the location 
if necessary, this would correspond to a QS implementation that takes 10 mil- 
liseconds to inspect 10® integers for smoothness with respect to the primes up 
to 3 * 10®. 

3 Analysis of TWINKLE- Assisted 384-Bit QS 
Factorizations 

The original description of the TWINKLE device in [7] is geared towards the 
QS factoring algorithm (cf. [6]). In this section we analyse the effectiveness of 




Analysis and Optimization of the TWINKLE Factoring Device 



37 



the original TWINKLE device for the factorization of 384-bit numbers using the 
QS. 

Although 384-bit numbers are unlikely to be the moduli in RSA cryptosys- 
tems, their quick factorization may be useful in various number theoretic sub- 
routines (e.g., when we try to complete the factorization of a large number of 
randomly generated values after we eliminate their smooth parts). The factor- 
ization of such numbers is not particularly difficult - it can be carried out in a 
few months on a single PC. Our goal is simply to find out the improvement ratio 
between TWINKLE-assisted factorizations and PC-based factorizations. There 
are two reasons why such an analysis can be interesting: 

— There is a great deal of experimental data on the optimal choice of param- 
eters and the actual running time when factoring numbers of this size, and 
thus the comparison can be based on harder data. 

— It enables us to examine the specific issues related to the implementation of 
the QS algorithm on the TWINKLE device. The QS and NFS algorithms 
exhibit quite different properties when implemented on the TWINKLE de- 
vice, but for larger input sizes the QS algorithm is simply not competitive 
with the NFS algorithm. 

We assume that the reader is familiar with the general outline of the QS algo- 
rithm (see, e.g. [7]). A sequence of quadratic polynomials fi, f 2, ■■ ■ is generated 
that depends on the number to be factored and the length 2 * A of the sieve in- 
terval. For z = 1, 2, ... in succession the roots of the fi modulo the primes in the 
factor base are computed and the values fi{x) for < x < A are sieved to test 
them for smoothness. The resulting smooth values have to be post-processed, 
which consists of trial division possibly followed by the computation of the de- 
composition of the resulting cofactor. For the QS algorithm the post-processing 
step is negligible compared to the polynomial generation and root computation. 
When doing the actual sieving on the TWINKLE device, polynomial generation, 
root finding, and post-processing have to be carried out by one or more auxiliary 
PC’s. The sequence of polynomials can be generated using the ordinary Multiple 
Polynomial variant (MPQS) or using the Self Initializing variant (SIQS) . 

Based on actual data, the factorization of a 384-bit number with the QS 
algorithm on a single 450 MHz Pentium II requires: 

— About 9 months when running the QS algorithm with optimal parame- 
ters: 186,000 primes in the factor base and 2 * A «1, 600, 000 (SIQS) or 
2* A «16,000,000 (MPQS). 

— About 14 months when running the QS algorithm with the suboptimal 
choices used in the original TWINKLE design (cf. [7]): 100,000 primes in 
the factor base and a sieving interval of length 2 * A = 100,000,000. 

For 384-bit inputs, there is little difference between the running times of MPQS 
and SIQS, but SIQS can compute the roots of the fi faster, which is a signifi- 
cant advantage in TWINKLE-assisted factorizations. For the optimal choice of 
parameters, a PC implementation spends about 25% of the time on polynomial 
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selection and root finding, but for the original choice (which we shall assume 
from now on) this fraction drops to 0.6% (about 0.09 seconds per polynomial on 
a PC). We consider two possible scenarios: 

1. A TWINKLE device running at the maximum possible speed of 10 GHz. 
Each sieving interval of length 100,000,000 can be scanned in 0.01 seconds 
(cf. [7]). The total running time of the TWINKLE device is about 11 hours, 
and 9 (= 0.09/0.01) PC’s are needed to generate the polynomials and to 
compute their roots. These 9 PC’s can execute a conventional QS factor- 
ization with optimal parameters in about a month, and thus the achievable 
improvement ratio is approximately 30 * 24/11 « 65. 

2. A TWINKLE device running at the minimum recommended speed of 1 GHz 
(cf. 6.1). Scanning a single interval takes 0.1 seconds, and the whole scanning 
phase takes 110 hours or about 4.5 days. However, in this case we need only 
one PC to support the TWINKLE device. Thus we have to compare this 
execution time to the 9 months required by a single PC implementation of 
QS with optimal parameters. The relevant improvement ratio is thus 9 * 30 * 
24/110 « 59. 

The surprising conclusion is that we get about the same improvement ratio 
regardless of whether we run the TWINKLE device at 10 GHz or at 1 GHz, 
since the computational bottleneck is in the supporting PC’s. As described in 
6.1, a 1 GHz TWINKLE is much easier to design and operate, and can make 
the whole idea much more practical. 

The improvement ratio of about 60 refers only to application of the QS 
because a 384-bit number can be factored in about 2 months on a PC using the 
NFS (this figure is based on extrapolation of the results from [1]). 

We next consider the problem of factoring 512-bit numbers, which are typical 
RSA keys in E-commerce applications. For this size the QS is not competitive 
with the asymptotically faster NFS so we concentrate on the NFS in the remain- 
der of this article. 



4 Number Field Sieve 

The Number Field Sieve integer factorization algorithm consists of four main 
steps: 

— Polynomial selection; 

— Sieving; 

— Matrix processing; 

— Algebraic square root computation. 

We briefly describe these steps as far as relevant for the description of the TWIN- 
KLE device. Let n be the number to be factored. For ease of exposition we assume 
that n is a 512-bit number. 
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4.1 Polynomial Selection 

In the first step of the NFS factorization of n two polynomials of degrees 5 and 
1 with a common root modulo n are selected: 

fi{x) = + 04 a;^ + a^x^ + a 2 X^ + a\x + oq € Z[x] 

and 



f 2 {x) = X — m G Z[x] , 



where /i(m) = 0 mod n. It is advantageous if the Oi and m are small in absolute 
value and if /i has relatively many roots modulo small primes. The best known 
method to find such polynomials (cf. [5]) produces an m that is of the same order 
of magnitude as and a polynomial fi that is skew, i.e., josl <C |a 4 | <C losj <C 
1 02 1 I Oil <C |oo|. The skewness ratio s of /i approximates the average ratio 

|ai|/|ai+i|. A realistic value for s is 10^. The bivariate, homogeneous, integral 
polynomials Fi and F 2 are defined as 

F\{x,y) = y® * fi{x/y) and F 2 {x,y) = y* f 2 {x/y) . 



Everything related to fi or Fi is referred to as the algebraic side, as opposed to 
the rational side for /2 or F 2 . 



4.2 Sieving 

In the second step, the sieving step, relations are sought. These are coprime 
pairs of integers (a, b) such that 6 > 0 and both Fi{a, b) and ^ 2 ( 0 , b) are smooth, 
where smoothness of Fi{a, b) and ^ 2 ( 0 , b) is defined as follows: 

— Fi{a, b) factors over the primes < 2^^, except for possibly three primes < 10®; 

— ^ 2 ( 0 , b) factors over the primes < 2®^, except for possibly two primes < 10®. 

Thus, three large primes are allowed on the algebraic side, but only two large 
primes are allowed on the rational side. There are about one million primes 
< 2®^, more precisely 7 t(2®^) =1,077,871. 

Candidate pairs (a, b) are located by twice sieving with the primes < 2®^ over 
the rectangular region — A < a < A, 0 < 5 < A/s, for a large A that is specified 
in 5.5. The sieving region is skew with skewness ratio s. The resulting candidate 
pairs are trial divided to inspect if they indeed lead to relations. How the sieving 
and the trial division may be carried out is addressed in the next section. It is 
the most time consuming step of the NFS, and it is the step for which we want 
to use the TWINKLE device. 



4.3 Matrix Processing 

Each relation a, b gives rise to a vector of exponents corresponding to the mul- 
tiplicities of the primes in the factorizations of Fi{a,b) and ^ 2 ( 0 , 6). It may 
be expected that there are many linear dependencies among these vectors af- 
ter about 80 to 100 million relations have been found. Dependencies modulo 2 
among the vectors are determined in the matrix processing step. How the matrix 
step is carried out is described in the literature referred to in [1]. 
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4.4 Algebraic Square Root Computation 

Each dependency modulo 2 leads with probability at least one half to the factor- 
ization of n in the last step of the NFS. References describing how this is done 
can be found in [1]. 

5 Sieving 

So far two distinct sieving methods have been used in NFS implementations: line 
sieving and special q sieving. Line sieving works by sieving over the a-interval 
[—A, A) for each b = 1,2,3,... consecutively, until enough relations have been 
found. Special q sieving works by repeatedly picking an appropriate prime q 
between 2^^ and, approximately, 5 * 10®, and by restricting the sieving to the 
pairs (a, b) for which q divides Fi(a, b), until enough unique relations have been 
found. Note that a relation is found at most once by line sieving but that it may 
be found up to three times by special q sieving because each of the at most three 
algebraic large primes may be used as special q. Both sieving methods may 
be used, simultaneously or separately, for a single factorization. We describe 
both methods in more detail, paying special attention to a property of special q 
sieving that is not generally appreciated and that turns out to be beneficial for 
TWINKLE-assisted NFS sieving. 

5.1 Factor Bases and Sieving Thresholds 

Let for z = 1 , 2 

Pi = {(P) • /*(’") = 0 mod p, p prime, p < 2^^, 0 < r < p} . 

The set P 2 , the rational factor base, consists of the pairs (p, mmodp) for all 
primes p < 2^^ and is trivial to compute. For the computation of Pi, the algebraic 
factor base, the roots of fi mod p have to be determined for all primes p < 2^^. 
The number of times a particular prime p < 2^"^ occurs in a (p, r) pair in Pi may 
be 0, 1, 2, 3, 4, or 5. The sets Pi and P 2 are computed once. Let Ti and T 2 be 
two threshold values. 

5.2 Line Sieving 

For 5 = 1, 2, 3, . . . in succession do the following. 

For z = 1,2 in succession, initialize the sieve locations Si{a) to zero 
for —A < a < A, and next for all (p, r) in Pi replace Si{br + kp) by 
Si{br + kp) + log(p) for all integers k such that br + kp G [—A, A). 
Finally, for all a such that gcd(a, &) = 1, S'i(a) > Pi, and 82 ( 0 ) > T 2 
inspect if both Fi{a,b) and F 2 {a,b) are smooth. 

For a fixed 5-value the a-interval —A < a < A is referred to as a line. Note that 
line sieving uses ffPi + ffP 2 arithmetic progressions per line, i.e., per 5- value. 
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5.3 Special Sieving 

For pairs {q,rg) with fi{rg) = 0 mod g, q prime, and 2^^ < q < 10® do the 
following. 

Let Lg be the lattice spanned by the two 2-dimensional vectors (9, 0)^ 
and {vg, 1)^. Sieving over L^nKa, 6)^ : —A <a<A, 0<6< A/s}, i.e., 
‘small’ (a, b) pairs for which q divides Fi (a, b), is approximated as follows. 
Find a basis {xi,yi)’^ , {x2, 2/2)^ for Lg for which |xi| « \s*yi\. Let Vg be 
the subset of Lg consisting of the vectors d * (a;i, yi)^ + e* {x2, 2/2)^ for 
integers d, e with — A/(s*(7)^fo < d < A/(s*y)^fo, 0 < e < A/{s*qY^‘^ 
(although in practice one sieves over the same d, e values for all pairs 
{q,rg)). For i = 1,2 in succession, initialize the sieve locations Si{v) 
to zero for all v in Vg, and next for all (j>,r) in Pi replace Si{v) by 
Si{v) + log(p) for all v in Vg that can be written as an integer linear 
combination of (p, 0)^ and (r, 1)^. Finally, for all v = (a, 6)^ in Vg for 
which gcd(a, 6) = 1, S\{v) > T\ — log((7), and 52 (u) > T2 inspect if both 
Fi{a,b) and ^2(0, 5) are smooth. 

In this case a line is the d-interval for a fixed e- value. It follows from the asymp- 
totic values of A and p (cf. [3]) that a particular line (e- value) is not hit (in the 
d-interval) by the majority of pairs (j>,r). Using arithmetic progressions for all 
(p, r) pairs per e- value would therefore increase the asymptotic running time of 
NFS, i.e., it is too expensive to visit all A/(s*y)^/® e- values for all (p, r) e PiUP2- 
Instead, per (p, r) only 0(A®/(s * q * p)) steps may be performed for the siev- 
ing over Vg. In [2] this problem is adequately solved by lattice sieving for each 
(p, r) pair, as proposed by Pollard (cf. his second article in [3]). Although the 
TWINKLE device may appear to solve the problem by processing all (p, r) pairs 
simultaneously for each sieve location, per line the initial B registers still have 
to be loaded for each (p, r) pair, which is obviously too expensive. This problem 
and its consequences are discussed in more detail in 7.2. 

5.4 Trial Divisions 

For reasonable choices of T\ and T2 the number of pairs (a, b) for which F\{a, b) 
and ^2(0, 6) have to be inspected for smoothness is so large that straightforward 
trial division with the primes in Pi and P2 would take considerably more time 
than the sieving. Trial division is therefore too time consuming. Instead, in PC 
implementations the primes dividing F\(a, b) and F2{a, b) are found by first re- 
peating the sieving step in a somewhat altered fashion, next performing divisions 
of Fi{a, b) and F2{a, b) by the primes found by this resieving, and finally factor- 
ing the resulting cofactors if they are composite and sufficiently small. For line 
sieving the Fi-cofactor may have to be factored into three factors, whereas for 
special q sieving two factors suffice. Cofactor factorization is thus substantially 
easier for special q sieving than for line sieving. For the line sieving in [1] this 
problem was avoided by using a substantially larger algebraic factor base and 
by allowing only two additional (large) primes in the factorization of F\{a, b). 
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This is illustrated by the following actual timings. For smoothness as defined 
here, the divisions and cofactor factorizations for line sieving cost about 0.7 
seconds on a PC per resulting relation, including the time spent on the false 
reports but not including the time spent on the resieving. For special q sieving 
it goes more than 6 times faster, i.e., about 0.1 seconds per resulting relation, 
due to the easier factorizations and considerably smaller number of false reports. 
Between 80 to 100 million relations are needed (cf. 4.3), so that with line sieving 
only one may expect to spend more than two years on a single PC to process 
the reports resulting from sieving and resieving. For special q sieving this can 
be reduced to about 5 months. 

Therefore, a line sieving TWINKLE device needs to be supported by about 
7 * 10^ seconds on a PC to perform the divisions by the primes found by the 
resieving plus the cofactor factorizations. That is about 12.5% of the total PC 
sieving time reported in [1]. For a special q sieving TWINKLE device other 
considerations come into play, as shown in 7.2. 



5.5 Sieving Regions 

For a 512-bit n sufficiently many good pairs (a, b) can be expected if special q 
sieving is done for —2^^ < d < 2^^ and 0 < e <5,000, for all {q, rg) pairs with 
2^4 < g < 5* 10®. A gross over-estimate for the required line sieving effort follows 
by taking q = 5* 10® and A = 2^^ * (s * ■ Thus A = 9 * 10®, i.e., 9 * 10® lines 
of length 1.8 * 10^® each, should suffice for line sieving. The number of points 
sieved would be about 17 * 10^® for line sieving, but only about 10^® for special q 
sieving (where we use that 7t(5 * 10®) = 26,355,867). PC implementations of the 
NFS exclude the ‘even, even’ locations from the sieve, so on PC’s the numbers 
of points sieved are 25% lower. 



6 Hardware Enhancements 

In this section we address most of the potential problems in the original TWIN- 
KLE paper which were pointed out by hardware designers and factoring experts. 
The result is a simpler, better, and more practical factoring device. More par- 
ticularly, we address the following issues: 

1. Clock rate; 

2. Power consumption; 

3. Avoiding trial division; 

4. Using separate algebraic and rational LED’s; 

5. Geometric considerations. 

The type of sieving is left unspecified (cf. Section 7). We assume familiarity with 
the design from [7] as reviewed in Section 2: cells with A registers for the primes, 
B registers for the counters, a photodetector for the clock signal, and LED’s for 
the hashing. 
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6.1 Clock Rate 

In [7] Shamir assumed that a TWINKLE device can be designed to run at 10 
GHz. This speed represents the limit to which currently available GaAs tech- 
nology can be pushed. However, it is not clear that our ability to produce at 
great cost a single laser diode which can switch at such speeds can be duplicated 
in mass produced wafer scale designs. Such a clock rate should thus be viewed 
as ambitious and speculative, but not as revolutionary as the construction of a 
quantum factoring computer. 

On the other hand, devices made with the slower GMOS technology already 
run at clock rates exceeding 700 MHz. We can thus reasonably assume that 
a TWINKLE device built today can run at clock rates exceeding 1 GHz, and 
that a TWINKLE device built 5 to 10 years from now can run at clock rates 
approaching 10 GHz. However, as demonstrated in Section 3 the speed issue can 
be irrelevant since the achievable speedup ratio can be independent of the actual 
speed of the TWINKLE device. 



6.2 Power Consumption 

Several experienced hardware designers objected to the original TWINKLE de- 
sign, claiming that it would consume too much power, which could lead to a 
wafer meltdown. Since the power consumption grows linearly with the clock 
rate, a 10-fold reduction of the recommended clock rate can greatly reduce this 
problem. 

Even greater power reduction can be obtained by using a different cell design. 
The total power consumption of all the LED’s is negligible, since at most a few 
hundred out of the 100,000 LED’s can flash at any given time. The total power 
consumption of all A registers is also negligible, since they change their state 
only once per sieving interval. Almost all the power consumed by the wafer is 
used to change the state of the bits in the B registers which count the number of 
clock cycles. The original TWINKLE design implemented the counters as linear 
feedback shift registers. Such a counter design eliminates the carry propagation 
problem and makes the flashes highly synchronized, but it consumes a lot of 
power since each bit in the counter changes state every second clock cycle on 
average. 

To reduce the power consumption, we now propose a different design. It is 
based on an asynchronous ripple counter in which the clock signal is fed only to 
the least significant bit, and the zth bit changes state only once every 2* clock 
cycles. As a result, most of the bits in the counter can operate at slow speed, 
and the average power consumption is a small constant which is independent of 
the length of the counter. 

The LED can be flashed when the most significant bit changes state from 0 
to 1. This eliminates the tree of AND’s in the original design, but it can take a 
long time (several clock cycles) for the clock to ripple through the register when 
state “0111. . .Ill” changes to “1000. . .000”. A 10% difference in the switching 
speeds of two counters can lead to flashes which are almost a full clock cycle 
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apart, leading to incorrect results. A simple solution to this problem is based 
on the observation that the timing of the least significant bits is likely to be 
much more precise than the timing of the most significant bits. Assume that the 
maximum propagation delay across the register is between 0 and 15 clock cycles. 
We derive the flashing signal by AND’ing the most significant bit and the fifth 
least significant bit. Regardless of when the former bit turns to “1”, the flash 
will occur when the latter is turned to “1”. Since we reload the B register (in 
parallel) shortly afterwards, this AND condition will not reoccur until the end 
of the next cycle. 



6.3 Avoiding Trial Division 

The analog nature of the TWINKLE device implies that each reported smooth- 
ness event has to be confirmed and turned into an actual vector of prime ex- 
ponents. The original TWINKLE design assumed that such events will be so 
rare that the host PC will use trial division with 100,000 possible primes to 
accomplish this. For the QS algorithm this assumption is correct, as mentioned 
in Section 3. However, as mentioned in 5.4 this is a potential bottleneck for the 
NFS. 

In this section we describe a small modification of the TWINKLE design 
which can greatly simplify this task. The basic idea is to use the optical pho- 
todetector in order to detect that a large number of primes seem to divide the 
current value, and to use the parallel electronic I/O lines on the wafer to report 
their identities with a proper encoding technique. The PC only has to perform 
trial division by about 50 known primes rather than trial division by all primes 
in the factor bases. The I/O lines are used to load the A and B registers for the 
new sieving interval, and are idle during the actual sieving. However, these are 
long high capacitance wires which cannot continuously report the identity of the 
flashing LED’s at each clock cycle. The solution is to make sure that reports will 
be generated only when the photodetector senses a possible smoothness event, 
and only by the approximately 50 relevant cells. 

To achieve this, we add an optical feedback path from the photodetector to 
the cells. When the light measured by the photodetector exceeds the threshold, 
it flashes a query LED placed next to it (and opposite the wafer). Each cell has 
an additional photodetector for the query LED. When this query LED is sensed, 
each cell checks whether it flashed its own LED a certain number of clock cycles 
ago (depending on the total delay along the optical path), and if so, reports its 
identity on the I/O lines. 

The simplest way of implementing this idea is to separate the flashing of the 
LED and the reloading of the counter in each cell. Assume for example that 
each B register is a ripple counter which flashes its LED when it reaches state 
“10. . .010000” (cf. 6.2). It continues to count upwards, reports its identity if the 
query LED is sensed AND its state is “10. . .011000”, and reloads itself from 
register A when its state reaches “10. . .011001”. The value of the A register has 
to be augmented to compensate for this delay, and different wavelengths have 
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to be used for the various LED’s and photodetectors to avoid confusion between 
the various optical functions. 



6.4 Using Separate Algebraic and Rational LED’s 

In the QS about half the primes up to a bound B do not yield arithmetic 
progressions, and the other half generate two distinct arithmetic progressions. 
This implies that in the original TWINKLE design a single cell contains one 
A register for a prime, two B registers for the arithmetic progressions, and one 
LED that flashes if either B register enters a special state. For QS with factor 
base bound B one may therefore expect 7t(B) arithmetic progressions generated 
by 7t(B)/2 cells with 3 registers (a single A and two B), and one LED per cell. 

NFS requires a different cell design. If distinct cells are feasible we show that 
the same average number of registers per cell (namely 3) can be achieved as 
in QS. Let B = 2^^ (cf. 4.2). All primes less than B are potential divisors of 
F 2 {a,b). Thus, at least 7t(B) different cells, each with at least an A register, a 
B register, and an LED, are needed for the resulting 7t(B) rational arithmetic 
progressions. For Fi(a,b) the number of arithmetic progressions required for a 
certain prime p < B depends on the number of distinct roots of /i mod p. On 
average one may expect that for 

— 11/30 of the primes fi modp does not have a root; 

— 3/8 of the primes /i mod p has a single root; 

— 1/6 of the primes /i mod p has two distinct roots; 

— 1/12 of the primes /i modp has three distinct roots; and 

— 1/120 of the primes /i modp has five distinct roots. 

(Note that 11/30+3/8+1/6+1/12+1/120 = (44+45+20+10+l)/120 = 1.) Let 
p < B be a prime for which /i mod p has d distinct roots. This p requires 
d+l distinct arithmetic progressions which can be taken care of by a single cell 
with d+2 registers: a single A register for p, a single B register for the rational 
arithmetic progression, and d different B registers for the d distinct algebraic 
arithmetic progressions. Here we use that unless n has a small factor, p cannot 
divide both Fi{a,b) and +2(0,6), so that the rational arithmetic progression is 
different from the algebraic ones. This leads to a total of 7t(B) cells: 11*7t(B)/30 
with 2 registers, 3 * 7t(B)/8 with 3 registers, 7t(B)/6 with 4 registers, 7t(B)/12 
with 5 registers, and 7t(B)/120 with 7 registers. The total number of registers is 
(2 * 11/30 + 3 * 3/8 + 4/6 + 5/12 + 7/120) * 7t(B) = (88 + 135 + 80 + 50 + 7) * 
7T (B)/120 = 3 * 7 t(B). The expected number of arithmetic progressions equals 
7t(B) + (3/8 + 2/6 + 3/12 + 5/120) * 7t(B) = 2 * ’’’(B). Thus, for NFS with factor 
base bounds B one may expect 2 * 7t(B) arithmetic progressions generated by 
7t(B) cells with on average 3 registers, which is not much different from QS. The 
numbers of LED’s per cell is discussed below. 

The simplest approach to simultaneous algebraic and rational sieving would 
be to let the rational B register and the algebraic B registers in a particular cell 
share the same LED. In the terminology of 5.2 and 5.3 this would mean that the 
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dual condition “Si{x) > Ti{—log{q)) and S 2 {x) > T 2 ' is replaced by the single 
condition '^S\{x) + S 2 {x) > Ti(— log(( 7 )) + T 2 " ■ Extensive software experiments 
using this simplification were not encouraging, as it leads to too many false 
reports (with the original T^’s) or too many missed pairs (with adapted Ti’s). 
Nevertheless, for TWINKLE it may be worth trying this approach. It would lead 
to a single LED per cell. 

A more promising approach would be to have the algebraic flashes on the 
odd beat and the rational flashes on the even beat. This can easily be realized 
by storing 2p instead of p in the A registers and by changing the values initially 
stored in the B registers in the obvious way. If the photodetector detects a pair 
of consecutive odd and even high intensities a report occurs, i.e., a good pair may 
have been found. This approach still requires a single LED per cell, but it has 
the disadvantage that it takes two clock cycles to process a single sieve location. 

Another approach would be to use LED’s of different colours for algebraic and 
rational flashes. The algebraic LED flashes if either of the algebraic B registers 
is in a special state, and the rational LED flashes if the rational B register is 
in a special state. A report occurs if two photodetectors for the two different 
frequencies simultaneously detect a high intensity. In this approach all cells have 
a rational LED and 19/30 of the cells have an algebraic LED as well, for a total 
of 49 * 7 t(B)/30 LED’s, which is almost 5/3 LED’s per cell on average. The 
advantage of this approach, which we assume in the sequel, is that processing 
a single sieve location takes a single clock cycle, as in the original TWINKLE 
design. Note that it requires yet another different wavelength to avoid confusion 
with other optical signals. 

6.5 Geometric Considerations 

The geometry of the TWINKLE design described in [7] was based on the op- 
erational requirement that the time delay along the optical paths (from the 
clocking LED to all the cells on the flat wafer, and from these cells back to the 
summing photodetector) should be as uniform as possible. The recommended 
design placed the wafer at one face of a cylindrical tube, the photodetector at 
the center of the opposite face, and several synchronized clocking LED’s around 
the perimeter of this face. This physical design reduced but did not eliminate 
the time difference between various optical paths in the tube. As a result, the 
tube had to be quite long, and thus the LED’s on the wafer had to be made 
stronger, bigger, and more power consuming. 

A greatly improved design (which was independently discovered by several 
researchers in private communication) places both the clocking LED and the 
photodetector at the center of one face of the cylinder, and at the focal point 
of a convex lens placed inside the cylinder between its two faces. Since all the 
relevant light rays (in both directions) between the lens and the wafer are parallel 
along the cylinder, all the wave fronts (which are perpendicular to the light rays) 
are flat and parallel to the wafer, and thus the time delay from the clocking LED 
to any point in the wafer and from there back to the photodetector is exactly 
the same. In addition, all the light gathered by the lens is concentrated on the 
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small face of the photodetector, and thus the LED’s on the wafer can be made 
smaller and weaker. 

7 Analysis of TWINKLE- Assisted NFS Factorizations 

7.1 Line Sieving for 512-Bit Numbers 

To simplify the analysis, we assume for the moment that the factor base size 
is irrelevant. Under this assumption, the device as described in [7] and with 
the modifications from Section 6, can straightforwardly be used to perform line 
sieving for an NFS 512-bit factorization. The primes p for the (p, r) in P 2 are 
loaded once in the A registers, with the exact distribution over the different 
types of cells determined by the number of roots of /i mod p, as implied by the 
description in 6.4. For the first line (6 = 1) the B register corresponding to a 
pair (p, r) G Pi U P 2 is initialized as r -|- A — p * [(r + A)/p], where A = 9 * 10®. 
The initial B-value for the next line follows by adding r to the initial value for 
the current line and taking the result modulo p. Thus, computation of the two 
million initial B register values for the next line can be done on an ordinary PC 
in less time than it takes TWINKLE to sieve the current line (see below). As 
shown in 5.5, a total of A/s = 9 * 10® lines of length 2 * A = 1.8 * 10^® each 
should suffice. As in Section 3 we consider two possible scenarios: 

1. A modified TWINKLE device running at the maximum possible speed of 
10 GHz. Each sieving interval of length 1.8 * 10^® can be scanned in 1.8 
seconds. Reloading the B registers can be done in 0.02 seconds (cf. [7]) when 
done sequentially for all registers, or in 0.002 seconds when done in 10-fold 
parallelism, and can thus be neglected. All 9 * 10® lines can be processed in 
approximately 1.8 * 9 * 10® seconds, which is less than 3 weeks. A speed-up 
by 25% can be obtained by excluding ‘even, even’ locations from the sieve 
(cf. 5.5). This improvement is not reflected in our TWINKLE running time 
estimates but is included in the running times from [1]. The 3 week estimate 
includes the time for reloading and resieving, but does not include the time 
to do the actual divisions and cofactor factorizations. The latter can be done 
in 1.8*9* 10® seconds by about 43 loosely coupled PC’s, as estimated in 5.4, 
and one additional PC is needed to compute the root updates. A total of 44 
PC’s would be able to do the sieving step in about 21 weeks (using special 
q sieving, cf. [1]). The improvement ratio is about a factor 8. 

2. A modified TWINKLE device running at the minimum recommended speed 
of 1 GHz (cf. 6.1). Each sieving interval of length 1.8 * 10^® can be scanned in 
18 seconds and all 9 * 10® lines can be processed in approximately 18 * 9 * 10® 
seconds, which is less than 27 weeks. It follows from 5.4 that 5 auxiliary PC’s 
suffice for all auxiliary computations (divisions, cofactor decompositions, and 
root updates). A total of 5 PC’s would be able to do the sieving step in about 
186 weeks, and the improvement ratio we obtain is about a factor 7. 

Thus, as in Section 3, we get about the same improvement ratio regardless 
of the clock rate of the TWINKLE device. This is due to the fact that the 
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computational bottleneck is in the supporting PC’s. Note that the improvement 
ratio is close to the maximum attainable ratio implied by the last paragraph 
of 5.4. 

The factor base sizes specified in 4.2 imply that the TWINKLE device, using 
the cell design as in 6.4, would contain about 10 wafers of more or less the same 
size as the wafers described in [7]. For that reason we now concentrate on how 
special q sieving may be used for TWINKLE- assisted factorizations of 512-bit 
and 768-bit numbers. 

7.2 Special Sieving for 512-Bit Numbers 

Naive implementation of special q sieving on a modified TWINKLE device is 
not promising. Despite the fact that a total of only 10^® sieve locations (cf. 5.5) 
have to be processed (which can, at 10 GHz, be done in less than 28 hours, 
including the resieving), the B registers have to be reloaded every 2 * 2^^ = 
8,192 sieve locations (cf. 5.5). Even with 10-fold parallelized reloading this adds 
0.002* (10^^/8,192) = 2.4* 10® seconds, i.e., almost 8 years, to the sieving time, 
without even considering how a PC is supposed to prepare the required data in 
0.8 microseconds (the sieving time per line). As noted in 5.3, this problem is due 
to the fact that in special q sieving one cannot touch all factor base elements for 
all lines without violating the NFS running time. 

A much better solution is obtained by radically changing the approach, and to 
make use of the fact that the majority of the factor base elements does not hit a 
particular line. Of the 2 million (p, r) pairs with p > 2*2^^ on average only about 
10^ hit a particular line, and if it hits, it hits just once. It follows that on average 
2 * 7 t( 8,192) -I- 10^ pairs must be considered per line, and that roughly 2 * 10^ 
cells suffice if the same cell is associated with different p’s (of approximately the 
same size) for different lines. Of these cells 2 * 7 t( 8,192) are as usual with fixed 
A registers, variable B registers, and proper arithmetic progressions. The other 
cells, however, need B registers only, assuming that their (variable) primes can 
be derived from their location if a report occurs. This follows from the fact that 
there is just a single hit, which implies that there is no true arithmetic progression 
to sieve with, and that the step size p is not needed. A clear advantage is that 
it simplifies the design of the TWINKLE device considerably, because only a 
single wafer with about 2 * 10^ cells would suffice. And most cells are even 
simpler than usual since they contain just one B register, two photodetectors, 
and a single rational or algebraic LED (split evenly among the cells) . Note that 
the TWINKLE device would not actually be sieving for the primes > 8,192 
but act as an accumulator of logarithms of primes corresponding to identical B 
values. 

We analyze the resulting speed for this modified and simplified TWINKLE 
device running at the maximum possible speed of 10 GHz. The number of sieve 
locations per special g is 8, 192*5, 000 which can be scanned in 4 milliseconds. Per 
line about 2 * 7 t( 8,192) -|- 10^ values have to be reloaded. This can be done in 0.12 
milliseconds. Thus, the auxiliary PC’s have 5,000*0.00012 -|- 0.004 = 0.6 seconds 
to prepare the list of register values ordered according to the lines where they 
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should be used. Obviously, the PC’s should also not touch each line per {p, r) pair, 
so they will have to use some type of lattice technique to process each (p, r) pair. 
The lattice siever from [2] that was used in [1] takes about 8.8 seconds to provide 
the required list. Thus, one may expect that about 8. 8/0. 6 « 15 PC’s are required 
to prepare the line data for a TWINKLE device. It follows that a single modified 
and simplified TWINKLE device supported by about 15 PC’s can do the special 
q NFS sieving for a 512-bit number in (7t(5*10®)— 7t(2^^))*0.6 seconds, i.e., about 
half a year. To keep up with the actual divisions and cofactor factorizations at 0.1 
seconds per resulting relation (cf. 5.4) for 100 million relations (cf. 4.3), a single 
PC suffices. A total of 16 PC’s would be able to do the sieving in slightly more 
than a year (cf. [1]), and the total improvement ratio is about 2.3. But note that 
the auxiliary PC’s require only a modest amount of memory, whereas the PC’s 
running the special q siever from [2] need to be able to allocate 64 megabytes 
of RAM to run efficiently. The same analysis holds when the TWINKLE device 
runs at the minimum recommended speed of 1 GHz. 

The single wafer required for this modified and simplified TWINKLE device is 
much smaller than the one proposed in [7] . From our analysis it looks as if loading 
the new line data is the big bottleneck for special q sieving on the TWINKLE 
device. If that can be done x times faster, the TWINKLE device will run about 
X times faster. But the comparison to PC’s would not be affected, because also 
X times more PC’s would be needed to prepare the line data. So, from that point 
of view the data loading time is not a bottleneck, and we conclude that the PC 
support required for the preparation of the list of line data has a similar (and even 
stronger) effect on TWINKLE-assisted special q sieving as the post-processing 
PC-support has for TWINKLE-assisted line sieving. 

7.3 Special q Sieving for 768-Bit Numbers 

Based on the asymptotic running time of the NFS, it may be expected that 
768-bit numbers are at most 5,000 times harder to factor than 512-bit numbers. 
The size of the total sieving region grows proportional to the running time, and 
the factor base sizes and size of sieving region per special q grow proportional to 
the squareroot of the running time. Based on the figures from [1] we expect that 
90,000 PC’s with huge RAM’s of about 5 gigabytes per PC can do the special q 
sieving in about a year. Based on extrapolation of the results from [1] we expect 
that one terabyte of disk space (about 50 standard PC hard disks costing a total 
of about $10,000) would suffice to store the data resulting from the sieving step. 

Using well known structured Gaussian elimination methods that require only 
sequential disk-access to the data, a matrix of less than half a billion rows and 
columns and on average less than 100 entries per row can be built, requiring less 
than 200 gigabytes of disk space. Extrapolation of existing PC implementations 
of the block Lanczos algorithm suggests that this still relatively sparse matrix 
can be processed in less than 4,000 years on a single PC, using a blocking factor 
of 32. Preliminary results of block Lanczos parallelization seem to indicate that 
fc-fold parallelization leads to a (fc/3)-fold speed-up, where so far no values of 
fc > 16 have been used (cf. [4]). Assuming that this parallelization scales up 
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to larger fc, application of these preliminary results with fc = 5 * 4 * 4, 000 = 
80,000 and a conservative (80,000/5)-fold speed-up leads to the estimate that 
80,000 PC’s can do the matrix step in 3 months, when they are connected to a 
sufficiently fast network. Each of the PC clients would need only a few megabytes 
of RAM to store only a small fraction of the matrix. Unlike other figures in this 
paper, this estimate has not been confirmed by an actual implementation, and 
we stress that it is based on the assumption that the parallelization from [4] 
scales reasonably well. Note that future 64-bit PC’s can use a blocking factor of 
64, thereby halving the number of Lanczos iterations and substantially reducing 
the time required. Another way to parallelize block Lanczos that may be worth 
considering is to replace each PC client by clusters of, say, t PC clients, thereby 
further reducing the number of Lanczos iterations by a factor t. 

We now consider how the simplified design from 7.2 scales up to 768-bit num- 
bers. The total sieving time increases by a factor of about 5,000 to approximately 
2,500 years. The factor base sizes increase by a factor 70, but so does the size 
of the sieving region per special q, so the same number of supporting PC’s will 
be able to prepare the required lists of line data, per TWINKLE device. The 
wafer size would increase by a factor less than 9, and thus become comparable 
to the size proposed in [7]. We can thus conclude that about 5,000 modified 
and simplified TWINKLE devices supported by about 80,000 PC’s can do the 
sieving step for a 768-bit number in about half a year. With the above estimate 
for the matrix step we arrive at the estimate given in the abstract. 

PC’s with 5 gigabyte RAM’s which are needed to run the special q siever in 
standard NFS factorizations are highly specialized: Only a negligible number of 
such machines exist, and they have very few other applications. On the other 
hand, the auxiliary PC’s in TWINKLE-assisted factorizations do not need ex- 
ceptionally large memories, and thus it is possible to timeshare standard PC’s 
which are used for other purposes in the organization (or over the Internet) dur- 
ing daytime. Large memories are also not needed for parallelized block Lanczos 
implementations. Since the 80,000 PC’s are likely to be more expensive than 
the 5,000 TWINKLE devices, their free availability can dramatically reduce the 
cost of the hardware, and make a TWINKLE-assisted attack on a 768- bit RSA 
modulus much more feasible than a pure PC-based attack that uses dedicated 
PC’s with huge memories. 



8 TWINKLE without Optoelectronics 

After the publication of the original TWINKLE paper, several alternative im- 
plementations were proposed by various researchers. The main theme of the 
modified designs was to replace the optoelectronic adder by an electronic adder 
of one of the following types: 

1. An analog adder, in which each cell adds some current to a common line. 
An event is registered whenever the total current is high enough. 

2. A digital adder, in which a tree of local 2- way adders adds the binary numbers 
which represent the contributions of the various cells. 
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3. A one dimensional systolic array, in which each cell increments one in p 
numbers passing through it for some p. The sequence of numbers “falling 
off” the end of the array is scanned for high entries. 

The analog adder is likely to be too slow to react to rapidly changing signals due 
to the high capacitance of the tree of wires. The digital adder tree is faster, but 
each adder is likely to use a larger area and more power than a single LED which 
is dark most of the time. In addition, large adder trees are not fault tolerant, 
since a dead adder can eliminate the contributions of all the cells in its subtree. 
Similarly, a systolic array requires complex bypass mechanisms to overcome the 
dead or unreliable cells along it, since each number should pass through all the 
cells. 

A purely electronic design may look more attractive than an optoelectronic 
design, since it is slightly easier to design and somewhat cheaper to manufacture. 
However, this is not likely to be a major consideration in large scale factoring 
efforts by large organizations, and in most respects it makes the design less effi- 
cient: Gallium Arsenide technology is faster than silicon technology, LED’s are 
smaller than adders, independent cells are more fault tolerant than intercon- 
nected cells, and ultraprecise timing is easier to achieve with optics than with 
electronics. 



9 Conclusion 

From our analysis we conclude that both the original TWINKLE device as 
proposed in [7] and the variant that runs at one tenth of the speed can be 
expected to achieve a substantial speed-up over a PC implementation for the 
QS-factorization of 384-bit numbers. We described a modified version of the 
TWINKLE device that is better suited for the implementation of the NFS fac- 
toring algorithm than the original design. We found that 768-bit RSA moduli 
are more vulnerable to NFS attacks by our improved TWINKLE design than by 
current PC implementations. 
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Abstract. The noisy polynomial interpolation problem is a new in- 
tractability assumption introduced last year in oblivious polynomial eval- 
uation. It also appeared independently in password identification 
schemes, due to its connection with secret sharing schemes based on La- 
grange’s polynomial interpolation. This paper presents new algorithms to 
solve the noisy polynomial interpolation problem. In particular, we prove 
a reduction from noisy polynomial interpolation to the lattice shortest 
vector problem, when the parameters satisfy a certain condition that 
we make explicit. Standard lattice reduction techniques appear to solve 
many instances of the problem. It follows that noisy polynomial interpo- 
lation is much easier than expected. We therefore suggest simple modi- 
fications to several cryptographic schemes recently proposed, in order to 
change the intractability assumption. We also discuss analogous meth- 
ods for the related noisy Chinese remaindering problem arising from the 
well-known analogy between polynomials and integers. 



1 Introduction 

At STOC ’99, Naor and Pinkas [26] introduced a new and useful primitive: obliv- 
ious evaluation of polynomials, where a polynomial is known to Bob and he 
would like to let Alice compute the value ( ) for an input known to her in 
such a way that Bob does not learn and Alice does not gain any additional 
information about . The scheme they proposed is quite attractive, as it is much 
more efficient than traditional oblivious evaluation protocols, which leads to sev- 
eral applications. For instance, Gilboa [14] applied the scheme to two party RSA 
key generation. Naor and Pinkas mention other interesting applications in their 
paper [26] , such as a method enabling two agencies each having a list of names, 
to find the common names on the lists without revealing other information. 

Perhaps the only problem with the Naor-Pinkas scheme was a security issue, 
since the scheme used a new intractability assumption. The underlying compu- 
tational problem, the so-called noisy polynomial interpolation problem, can be 
stated as follows: 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 53-69, 2000. 
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Problem 1 (Noisy polynomial interpolation). Let be a -degree polynomial 
over a finite field F. Given n > -1-1 sets i . . . n and n distinct elements i 

„ G F such that each i = { contains m — 1 random elements 

and ( i), recover the polynomial , provided that the solution is unique. 

A simple counting argument suggests that m" <C should be sat- 

isfied to ensure the unicity of the solution. Several generalizations are possible: 
for instance, one can assume that the sets i’s have different sizes instead of m. 
A related problem is the following: 

Problem 2 (Polynomial reconstruction) . Given as input integers , t and n points 
( 1 i) . . . ( „ „) e F^, output all univariate polynomials of degree at most 
such that i = ( i) for at least t values of . 




Noisy polynomial interpolation 




The polynomial reconstruction problem is well-known because the generalized 
Reed-Solomon list decoding problem reduces to it. The best algorithm known to 
solve this problem is the recent algorithm of Guruswami and Sudan [17] (GS), 
which was inspired by previous work of Ar et al. [3] on a related problem. Its 
running time is polynomial in n, and the algorithm succeeds provided t > 'J~n, 
for any field F of cardinality at most 2”. Naor and Pinkas remarked the existence 
of a simple reduction from noisy polynomial interpolation to polynomial recon- 
struction, which led them to conjecture that the noisy polynomial interpolation 
problem was as hard as the polynomial reconstruction problem. 

This paper provides evidence that the conjecture is likely to be false. More 
precisely, we present new methods to solve noisy polynomial interpolation which 
(apparently) do not apply to polynomial reconstruction. In particular, we prove 
that the noisy polynomial interpolation problem can be transformed into a lat- 
tice shortest vector problem with high probability, provided that the parameters 
satisfy a certain condition that we make explicit. This result is qualitatively 
similar to the well-known lattice-based methods [20,9] to solve the subset sum 
problem: the subset sum problem can be transformed into a lattice shortest 
vector problem with high probability, provided that a so-called low-density con- 
dition is satisfied. As with subset sums, experimental evidence suggest that most 
practical instances of the noisy polynomial interpolation problem with small m 
can be solved. It follows that noisy polynomial interpolation is much easier than 
expected (despite known hardness results [2,24] on the lattice shortest vector 
problem), and thus, should be used cautiously as an intractability assumption. 
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Interestingly, the noisy polynomial interpolation and the polynomial recon- 
struction problems also appeared in password authentication schemes [25,13]. 
Both schemes use Shamir’s secret sharing scheme based on Lagrange’s poly- 
nomial interpolation, where the shares are encrypted with low entropy secrets. 
Shamir’s scheme achieves perfect security, but here, additional information is 
available to the attacker. A closer inspection shows that [13] is based on the noisy 
polynomial interpolation problem, and is therefore insecure for many choices of 
the parameters. For instance, the authors propose to use n = 22 =14 and 

m « 256 to protect a 11 2- bit key. But this configuration can be broken using 
a meet-in-the-middle attack (see Section 2.3) using n' = 16 in time 2®^. The 
solution described in [25] is much better as it is based on the hardness of the 
discrete log problem and a variant of the polynomial reconstruction problem. 

We also discuss analogous methods for a related problem, the so-called noisy 
Chinese remaindering problem arising from the well-known analogy between 
polynomials and integers. Curiously, problems such as point counting on elliptic 
curves over finite fields and integer factorization of the form , can be viewed 
as generalized noisy Chinese remaindering problems. We explain why the lattice- 
based approach does not appear to be as useful in such settings. 

The paper is organized as follows. In Section 2, we review simple methods for 
noisy polynomial interpolation. Section 3 is devoted to lattice-based methods. 
Cryptographic implications of these results are discussed in Section 4. In Section 
5, we study analogous methods for the noisy Chinese remaindering problem. Due 
to lack of space, some details and proofs are omitted, but those can be found in 
the full version available on our webpages. 



2 Simple Methods for Noisy Polynomial Interpolation 

2.1 An Error-Correction Method 

When the noisy polynomial interpolation problem appeared in [26], the only 
known algorithm to solve it (apart from exhaustive search) was based on a sim- 
ple reduction from noisy polynomial interpolation to polynomial reconstruction. 
More precisely, Naor and Pinkas noticed that by randomly choosing one element 
i j in j, one obtains an instance of the polynomial reconstruction problem with 
the n (randomly chosen) points ( i ij). The solution is of degree , and we 
have ( i) = i,j approximately n/m values of . Therefore the solution is 
expected to be outputted by the GS algorithm, provided that ^ > V~n that 
is: m y/j- In fnct, one can obtain a better reduction by taking all the points, 
which was apparently unnoticed. Indeed, if one picks all the nm points ( i ij), 
then the solution of degree satisfies ( i) = ij for at least n values of 
( ). Hence, the GS algorithm will output if n > V nm that is: m n/ . 

It is worth noting that this condition does not depend on the size of the finite 
field. The previous reductions do not use the specificity of the noisy polynomial 
interpolation instances. It is not known whether one can improve GS algorithm 
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when applied to those particular instances, although [6] describes a simple al- 
gorithm achieving the same bound m nj . We now present methods to solve 
the problem when the condition m nj \s not satisfied. 

2.2 A Grobner Basis Method 

A natural way to solve the noisy polynomial interpolation problem is reducing 
the problem to solving a system of polynomial multivariate equations. Write the 
unknown polynomial as ( ) = X)i=o » ’ there exists such that 

( i) = therefore: 

m 

Il( ( *)- = 

i=i 

One thus obtains n polynomial equations in the -I- 1 unknowns o ■ ■ ■ fc, in 
the field F. 

Grobner basis is the usual way to solve such systems. However, the complexity 
of such techniques is super-exponential in : in practice, it is likely that the 
method would be impractical if is not very small (for instance, larger than 
20). Theoretically, one could also apply the relinearization technique recently 
introduced by Kipnis and Shamir [19], at least in the case m = 2 (that is, 
a system of quadratic equations). At the moment, the behaviour of this new 
method is not completely understood, however latest results [10] suggest that 
the method is impractical for sufficiently large , such as >50. 



2.3 A Meet-in-the-Middle Method 

A meet-in-the-middle approach can be used to solve the noisy polynomial inter- 
polation problem. Let n' < n he the smallest integer for which we expect the 
solution to be unique. Define the Lagrange interpolation polynomials in F[ ] : 

^*( )= n 

1 < < n' * ^ 

The degree of is n' — 1. We are looking for coefficients i, such that 

/ n' 

deg ^ i,c,Li( ) 

\i=i 

For all c = ( 1 ... [n'/2\) G {1 ■■■ and c = ( l„// 2 J+i ... '„) G 

{1 ... we compute the polynomials C/c( ) = i,ciLi{ ) and 

c( ) = ~ X^r=[n'/ 2 j+i i,ciLi{ ). We compare the two lists: If some Uc{ ) 
and c( ) have identical coefficients for the terms ... ” then C/c( ) — 

c( ) has degree at most , and therefore, solves the problem. 
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The method requires the computation of polynomials Uc{ ) and 

c( ). Since the values for ijLi{ ) can be precomputed and partial sums can 
be reused, the time complexity of this attack is ( {n' — where 

is the time for an addition in F. The memory requirement of this algorithm is 
((log )mL” /^J), but an improved algorithm needing ((log )m^'^ exists. 

It is worth noting that the meet-in-the-middle method does not apply to the 
polynomial reconstruction problem. This is because the Lagrange polynomials 
Li{ ) in this problem depend on the selection of the values ij used for the 
interpolation. Different ij’s correspond to different i’s and therefore different 
Lagrange polynomials. The meet-in-the-middle method takes advantage of the 
fact that the i’s are known in advance. 

Note that the meet-in-the-middle method can still be used if we have to 
compute for some public o and , when given the rather than the 

ij ’s. This is because polynomial interpolation is a linear function of the inputs 
i,j- 



3 Lattice-Based Methods for Noisy Polynomial 
Interpolation 

We now describe lattice-based methods to solve noisy polynomial interpolation. 
To simplify the presentation, we assume in the whole section that the finite field 
F is a prime field ( being a prime number) . The results extend to the general 
case by viewing F as a finite dimensional vector space over its prime field. 

In this paper, we will call lattice any integer lattice, that is, any subgroup 
of (Z” -|-) for some n. Background on lattice theory can be found in several 
textbooks, such as [16,35]. For lattice-based cryptanalysis, we refer to [18]. 

Our lattice-based methods build in polynomial time a lattice from a given 
instance of noisy polynomial interpolation. In this lattice, there is a particular 
lattice point, the so-called target vector, which is both unusually short and closely 
related to the solution of our problem. We will first give heuristic arguments 
suggesting that the target vector is the lattice shortest vector. Then we will 
modify our lattice to prove that the target vector is with high probability the 
shortest vector of the modified lattice, when the parameters satisfy a certain 
condition that we make explicit. The proofs are somewhat technical, but the 
underlying idea is similar to the one used to show that the low-density subset 
sum problem can be reduced with high probability to a lattice shortest vector 
problem [20,9]. More precisely, we will estimate the probability that a fixed vector 
belongs to the lattice built from a randomly chosen instance of the problem. By 
enumerating all possible short vectors, we can then upper bound the probability 
that there exists a nonzero lattice point shorter than the target vector for a 
randomly chosen instance. From a practical point of view, one hopes to solve 
the problem by using standard lattice reductions algorithms [21,30,31,32] as 
lattice shortest vector oracles. 




58 



Daniel Bleichenbacher and Phong Q. Ngnyen 



3.1 Linearization of Noisy Polynomial Interpolation 

Let Li{ ) be the Lagrange interpolation polynomial defined as 

H )=n^^- 

. / . i j 

The solution satisfies: ( ) = ( i)Li{ )■ We linearize the problem: 

letting equal to 1 if ( i) = i,j, and 0 otherwise, one obtains ( i) = 
V™ ■ ’ ■ hence- 

n m 

( ) = EE M )■ 

i=i j=i 

Since ( ) has degree , while Li has degree n — 1, we obtain n — 1 — linear 
equations in the nm unknowns ij-. As a linear system in the field F, it is 
underdefined. However, one can also view the problem as a lattice problem for 
which lattice reduction might apply. ^ 

The set L of integer row vectors ( ip 1,2 ■ ■ ■ n,m) G Z”™ such that the 
polynomial Y^=i hi degree at most is clearly a lattice in 

Z”™. The vector ( i_i i _2 ... n,m) belongs to L, we call it the target vector. 
Its Euclidean norm is ^/n. To see how short this vector is compared to other 
lattice vectors, we need to analyze the lattice L. We wish to obtain results of 
the fiavour of lattice-based algorithms to solve low-density subset sums [20,9]: 
with high probability over a certain distribution of the inputs, and under specific 
conditions on the parameters, the target vector is the lattice shortest vector. 



3.2 Volume of the Lattice 

The previous lattice is related to the lattices used by Ajtai [1] in his celebrated 
worst-case/ average-case equivalence for certain lattice problems. More precisely, 
let be a n X matrix in Z^ where is any integer. Let L{ ) be the set of 
n-dimensional integer row vectors x such that x =0 (mod ). We call L{ ) 
the Ajtai lattice associated to . It is easy to see that L{ ) is a n-dimensional 
lattice in Z”, from which one derives: 

Lemma 1. Let € A4n,e(^g)- Then the volume of L{ ) divides ^ . It is exactly 
® if and only i/ {x : x G Z”} is entirely Z®. 

Proof: By definition, L{ ) is the kernel of the group homomorphism that 
maps any x G Z” to (x mod ) G Z®. Therefore the group quotient Z”/L( ) 
is isomorphic to the image of . But since L( ) is a full-dimensional lattice in 
Z”, its volume is simply the index [Z” : L{ )] of L( ) in Z”, from which both 
statements follow. □ 

^ If we used the field GF(g“) rather than Zq we would have a{n — 1 — k) equations in 
nm unknowns over Zq and the linear system might be solvable directly. 
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Letting Li ( ) = ™ the lattice L of Section 1 is equal to L( ), where 

F = Zq and is the following matrix of dimension nm x n — 1 — . 



/ l.l'^l.fc+l • • • l,l-^l,n-l \ 









\ n,m^n,fc+l ’ ‘ ’ n,m^n,n—l j 



Lemma 2. xlssttme that for all 1 < < n there exists 1 < i < m, such that 

i,wi 0. Then rank( ) = n — 1 — . 

Proof: Remember, that for all i ... „ € F” and /( ) = X^r=i ) we have 

/( i) = i. Hence, X^r=i ^ implies i = • • • = n = 0. This shows that 

the nxn matrix (^ij)i<i<n; 0 <j<n-i is nonsingular. In particular, the last n— 1 — 
columns are linearly independent and thus the matrix (^ij)i<i<n;fc+i<j<n-i has 
rank n — 1 — . We assumed that i^wi ^ 0 and therefore the matrix o = 
( i,wi^i,j)i<i<n-,k+i<j<n-i has rank n — 1 — too. Since o is a submatrix of 
it follows that has rank n — 1 — too. □ 

A consequence of this lemma is that the set {0 . . . — 1}""* contains exactly 

nm-n+i+k points and hence the volume of L( ) is Therefore, if 

7 d denotes Hermite’s constant of order , we have: 

n-l-k 

l(L) ^ \ fnrn 

where i(L) is the first minimum of L (the length of a shortest non-zero lat- 
tice point). The best asymptotic estimate known of Hermite’s constant is the 
following (see [7]): 

logf ) 1 744 

— + + 0(1) < 7. < ^ (1 + 0(1)). 

It follows that one expects the target vector to be the shortest lattice vector if 




This condition is very heuristic, as the lattice L cannot be considered as a “ran- 
dom” lattice. 

3.3 Structure of the Lattice 

We now give a different heuristic argument to guess when the target vector is the 
shortest vector. The argument is inspired by lattice-based attacks against low- 
density subset sums (see [20,9]). If we denote by (n ) the number of integer 
points in the n-dimensional sphere of radius ^ centered at the origin, we have 
the following elementary result : 
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Lemma 3. Let be a nm x matrix in TLq ( prime) chosen at random with 
uniform distribution. Then: 



Pr( i{L{ )) 



^/n) < 



(nm n) 

e 



Proof: Let x = ( i . . . nm) G Z”™ be a non-zero vector. The probability 
that X =0 (mod ) for a uniformly chosen matrix = ( i,j)i<i<nm,i<j<e is 
Indeed, there exists o G {1 ■■■ nm} such that yf 0. Then, for any 
choice of ( i,j)i^io,i<j<e, there exists a unique choice of ( io,j)i<j<e such that 
X =0 (mod ), which gives the expected probability. Since the number of 
possible X is less than (nm n), the result follows. □ 

It follows that one expects the target vector to be the shortest lattice vector 
when (nm n) <C Numerical values of (nm m) can be computed 

by recursion. And sharp theoretical estimates of (nm m) can be obtained 
using the power series ( ) = 1 + 2^^^ ^ (see [23, Lemma 1]). However, the 
condition is still heuristic, since in our case, the matrix cannot be considered 
as uniformly distributed. In particular, it does not seem easy to compute the 
probability that a fixed vector belongs to the lattice L( ) for a randomly chosen 
instance of noisy polynomial interpolation. 



3.4 Reduction by Lattice Improvement 

To achieve a reduction from noisy polynomial interpolation to the lattice shortest 
vector problem, we consider a certain sublattice. The improvement is based on 
a property of the target vector which has not been used so far: for all i and 2 , 
ii,j = i 2 ,j = 1- This leads us to define the lattice as the set of 

lattice points ( iq i _2 • • • n,m) G L such that for all 1 and 2 - 

m m 

ii,i ~ y]] ( 1 ) 

i=i i=i 

Since is the intersection of the full-dimensional lattice L (in Z"'") with a 
(nm — n + l)-dimensional vector subspace, is a (nm — n + l)-dimensional 
lattice in Z”™, which can be computed in polynomial time. 

We will be able to compute the probability that a (fixed) short vector satis- 
fying (1) belongs to , which was apparently not possible for L. The probability 
is with respect to the natural distribution induced by the definition of noisy 
polynomial interpolation, which is the following: 

— Let 1 . . . n be distinct elements of F = Z^, and be a function from 
{1 ... n} to {1 ... m}. 

— Choose uniformly at random a -degree polynomial in F[ ]. 

— For all G {1 . . . n} and G {1 ... m} \ ( ), choose uniformly at random 

an element in F, and let i,g{i) = ( i)- 
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Recall that the noisy polynomial interpolation problem is to recover either or 
, given , the ij’s and the i’s. The (secret) function indicates which ij is 
equal to ( i). 

Let d = ( i_i ... n,m) G Z”'" be a vector satisfying (1). We define p(d) 
as the probability that d belongs to the lattice , that is, the probability that 
deg(X)r=i i,j )) ^ 5 with respect to the previous distribution. 

Let t(d) be the number of indices for which there exists at least one nonzero 
ij modulo with ^ ( ): 

t(d) = I {1 < < n :3 G {1 . . . m} \ ( ) such that ij ^ 0 mod } |. 

The following technical lemma gives a formula for p(d). It shows that the heuris- 
tic assumptions made in Section 3.2 and Section 3.3 are correct for all vectors d 
where t(d) > n— — 1, but p(d) is larger than expected when t(d) n— — 1. 
As we will see later the effect of those vectors is often negligible. A proof can be 
found in the full version of the paper. 

Lemma 4. Let d G Z”™ satisfying (1). Then: 

= - min(i(d),n-fc-l)^ 

It follows that p(d) > | if and only if t(d) = 0 (recall that n > -I- 1). But if 
d satisfies (1) and t(d) = 0, then either d is a multiple (possibly zero) of the 
target vector, or at least one of d’s entries is a nonzero multiple of , implying 
lld|| > . By enumerating all possible d’s, we finally obtain a reduction: 

Theorem 1. Let ^ . Let a noisy polynomial interpolation instance he cho- 

sen uniformly at random as described above and let he the suhlattice built from 
the instance. Then the expected number of nonzero vectors ( n m) contained 
in not equal to the target vector or a multiple of it with norm < \J~ is: 

\r/n.\ n 

{ nm)= ^ 

A=— [r/nj w — 1 

where R{ n m) denotes the number of vectors d = ( i_i ... n,m) G Z'"” 

such that t(d) = , ||d|| < y/~ and i,j = • 

If (n n m) I then (n n m) is a nontrivial upper bound on the probability 
that contains a nonzero vector shorter than the target vector. The proof of 
Theorem 1 and numerical methods to compute ( n m) are given in the full 
version of the paper. The results are more complicated than low-density subset 
sum attacks for the following reasons. In low-density subset sum attacks, one 
can compute fairly easily an upper bound of the probability that a fixed nonzero 
short vector (different from the target vector) belongs to a certain lattice built 
from the subset sum instance (see [20,9]). And the bound obtained is independent 
of the vector. It then remains to estimate the number of possible short vectors, 
by bounding the number of integer points in high-dimensional spheres (using 
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techniques of [23]). Here, we have an exact formula for the probability instead 
of an upper bound, but the formula depends on the vector, for it involves t(d). 
This leads to more complicated enumerations and asymptotic formulas. Hence, 
we cannot give a criterion as “simple” as the low-density criterion for subset sum, 
to indicate when the reduction is expected to hold. However, for some special 
cases we have some preliminary results: 

Lemma 5. Let n > 2, m > 2 and . Let 0 1 and ( ) = 1 -I- 

2Er=i Then: 



{n [n/2j)-h2"+i-3 



i—l — k 



< {n n 2) < 



{n [n/2j)-h2"+i 



I—l — k 



+ 2r?/ -h4n/ 



{n n m) < 



(nm n) 

^ J +3 

n—l — k 



— n 




( r 



n 



- 1 



The proof of Lemma 5 can be found in the full version of the paper. Note that 
( ) can be approximated numerically. The result for the case m = 2 are much 
stronger than the result for a general m. From a practical point of view, we 
can alternatively compute the upper bound ( n m) numerically for any given 
choice of the parameters. And the bound seems to be sharp in practice. 

The following table shows for some values of m n the largest , such that 
the expected number of vectors with norm shorter or equal to ^/n is smaller than 
1. We compare this to the largest for which we would expect the target vector 
to be the shortest vector in the original lattice without improvement. 

A missing entry in the column says that for this particular choice of m and 
n the problem is very likely not solvable with the lattice based method for any 
. We have chosen m and n such that the meet-in-the middle method has a time 
complexity of 2®°. We have chosen > 2®°, so that elements of can be used 
to represent 80 bit keys for symmetric ciphers. 



m 


n 


log2( ) 






2 


160 


80 


155 


152 


3 


115 


80 


no 


108 


4 


105 


80 


100 


98 


16 


44 


80 


40 


39 


256 


20 


80 




- 



3.5 Non-prime Fields 

When F is a field of the form GF( “) with > 1, Lemma 4 still holds if one 
replaces by “, with the same definition of t(d) (that is, the number of indices 
for which there exists at least one nonzero ij modulo with ^ ( )), so 

that p(d) = -amm(i(d),n-fc-i)^ Theorem 1 and Lemma 5 need to be modified 
accordingly. It follows that the lattice-based approach is useful only when the 
characteristic of F is sufficiently high ( > ^/n ) , so that any vector d satisfying 
t(d) = 0 is strictly longer than the target vector. 
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3.6 Experiments 

We implemented the improved lattice-based method on a 500 MHz 64-bit DEC 
Alpha using Victor Shoup’s NTL library [34] . For a randomly chosen instance, 
we built the corresponding sublattice . For lattice reduction, we successively 
applied three different types of reduction : plain LLL [21], Schnorr’s BKZ re- 
duction [30,31] with block size 20, and when necessary, Schnorr-Hdrner’s pruned 
BKZ reduction [32] with block size 54 and pruning factor 14. We stopped the 
reduction as soon as the reduced basis contained the target vector. 

To fix ideas on the efficiency of the lattice-based method, we chose n = 160 
and m = 2, with a prime field of size 80 bits. The error-correction method 
succeeds only if < 80. The meet-in-the-middle method requires at least 2^/^ 
operations. And the Grdbner basis approaches are very unlikely to be practical. 
Numerical values given by theorem 1 (see Section 3.4) suggest that the noisy 
polynomial interpolation problem can be reduced to a lattice shortest vector 
problem, as while as < 155. The lattice dimension is then 160. Our imple- 
mentation was able to solve noisy polynomial interpolation up to = 154. For 
<152, only BKZ-20 reduction was necessary, and the total running time was 
less than 4 hours. For 153 < < 154, an additional Schnorr-Hdrner pruned BKZ 

reduction was necessary: 1 hour for = 153, and 8 hours for = 154. We do not 
know if the theoretical value of = 155 can be reached in practice: the corre- 
sponding lattice problem is hard because there are many lattice points almost as 
short as the target vector. The situation might be similar to lattice-based subset 
sum attacks: when the subset sum density is very close to the critical density, 
and the lattice dimension is large, the lattice problem is hard. It is worth noting 
that to ensure the unicity of the solution, one should have < 156. This sug- 
gests that the lattice-based method is likely to solve most instances of practical 
interest for small m. We also made a few experiments with m > 2. A BKZ-20 
reduction can solve in one day the problem with n = 115, = 101, m = 3 and 

n = 105, = 80, m = 4. For such parameters, the meet-in-the-middle method 

requires at least 2®° operations. 

4 Cryptographic Implications 

We showed that when the parameters satisfy a certain relation, there exists a 
provable reduction from noisy polynomial interpolation to the lattice shortest 
vector problem. This results in an attack which is much more effective than pre- 
viously known methods based on list decoding algorithms, due to the strength 
of current lattice reduction algorithms. We could not apply the same method 
to the polynomial reconstruction problem. This suggests (but does not prove) 
that the polynomial reconstruction problem is harder than the noisy polyno- 
mial interpolation problem, so that Conjecture 3.1 in [26] about the hardness 
equivalence^ of the two problems does not hold. 

^ In fact, Conjecture 3.1 relates the hardness of polynomial reconstruction and an 
easier version of noisy polynomial interpolation. 
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It follows that cryptographic protocols should - if possible - be based on the 
polynomial reconstruction problem rather than the noisy polynomial interpola- 
tion problem. Such a change is possible for the oblivious polynomial evaluation 
of Naor and Pinkas [26]. There are two players Alice and Bob. Bob’s secret input 
is a polynomial ( ), which he hides in a bivariate polynomial ( ), such that 

(0 ) = ( ). Alice has a secret value and would like to learn ( ). Alice 

chooses a polynomial ( ) with (0) = . In a crucial step of the protocol Alice 
would like to learn ( j ( j)) without revealing ( ). This is done by sending 
i and a list of random values ij-, except that one value ( i). Bob computes 
{ i ij) for all these values and retrieves the answer she is interested in 
using a 1-out-of-m oblivious transfer. The privacy of Alice depends on the dif- 
ficulty to find ( ) given j and jj, i.e. the noisy polynomial interpolation 
problem. However, the protocol can be changed by using the values ( ij ij) 
for distinct jj’s rather than ( j ij) [29]. 

Another way to prevent lattice-based attacks is to use a field where computing 
discrete logarithms is intractable, and to publish the powers rather than the 
values ij. It is then still possible to perform a polynomial interpolation, that 
is to compute given sufficiently many values In fact, the meet-in- 

the middle method is the only algorithm known to us that is applicable in this 
case and it can only be used for the noisy polynomial interpolation problem but 
not for the polynomial reconstruction problem. A protocol using the polynomial 
interpolation problem combined with the discrete logarithm problem is described 
in [25]. 

5 Noisy Chinese Remaindering 

There is a well-known analogy between polynomials and integers: the polynomial 
degree corresponds to the integer size; Lagrange’s interpolation corresponds to 
Chinese remainders; and polynomial evaluation corresponds to the modulo op- 
eration (in fact, a polynomial evaluated at o can also be viewed as the 
remainder of ( ) modulo the linear polynomial — o)- We refer to [15] for 
some examples. The noisy polynomial interpolation and polynomial reconstruc- 
tion problems then become the following ones: 

Problem 3 (Noisy Chinese remaindering) . Let 0 < < , and p\ ... be 

coprime integers. Given n sets i . . . „ where each j = { contains 

m — 1 random elements in Zp^ and modpj, recover the integer , provided 
that the solution is unique {e.g., m” ^ nr=iK). 

Problem 4 (Chinese remaindering with errors). Given as input integers t, 
and n points ( i p\) ... ( „ p„) € where the pi's are coprime, output all 
numbers 0 < such that = i (mod pi) for at least t values of . 

We refer to [15] for a history of the latter problem, which is beyond the scope 
of this article. We will only mention that the best decoding algorithm known 
for the problem is the recent lattice-based work of Boneh [6], which improves 
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previous work of Goldreich et al. [15]. The algorithm works in polynomial time 
and solves the problem provided that a certain condition is satisfied. The exact 
condition is analogous to the bound obtained by GS algorithm for polynomial 
reconstruction. 

We note that there are two well-known problems for which the general noisy 
Ghinese remaindering problem (in which one allows different sizes for the sets 
i’s) arises. The first problem is point counting on elliptic curves over finite 
fields. The best general algorithm for this problem is the Schoof-Elkies- Atkin 
(SEA) algorithm [33,12,4>5] (see [22] for implementation issues). Let be an 
elliptic curve over a finite field of cardinality . Hasse’s theorem states that the 
cardinality of is of the form -I- 1 — t where |t| < 2y^. The SEA algorithm tries 
to determine this t, using Ghinese remainders. However, in practice, it turns out 
to be too expensive to compute the exact value of t modulo sufficiently many 
coprime numbers. Therefore, one actually determines many coprime numbers 
of two kinds: for the first kind of numbers, t modulo such numbers is exactly 
known; for the second kind of numbers, the value of t modulo such numbers is 
constrained to a small number of values. This is exactly a noisy Ghinese remain- 
dering problem. To solve this problem, current versions of SEA apply a meet- 
in-the-middle strategy. The second problem is integer factorization of numbers 
of the form = .It has been noticed for some time (see for instance [28]) 
that for any number , the Jacobi symbol is equal to the Legendre symbol 
(0. It follows that for any number , mod is limited to half of Z^, and such 
a half can be determined. The problem of computing can thus be viewed as 
a noisy Ghinese remaindering problem. However, the i’s are so dense that this 
formulation is likely to be useless. 

We briefly review methods for noisy Ghinese remaindering, analogous to the 
ones we described for noisy polynomial interpolation. One can first use the analog 
of the meet-in-the-middle method of Section 2.3. One can also use the reduction 
to Ghinese remaindering with errors and the algorithm of [6] , in a way analogous 
to Section 2.1. But the following simpler method achieves the same results. 

5.1 Coppersmith’s Method 

We obtain an analogous method to the Grdbner basis approach by translating 
the problem in terms of polynomial equations. The solution satisfies for each 
the following equation: 

m 

II( “ i,j) = 0 (modpi). 
i=i 

Using Ghinese remainders and collecting all equations, one obtains a univariate 
polynomial equation of degree m in the unknown modulo YYi^iPi- We then 
apply the following lattice-based result by Goppersmith [8] : 

Theorem 2. Let {) he a polynomial of degree in one variable modulo an 
integer of possibly unknown factorization. In time polynomial in (log 2*^), 
one can find all integers o such that ( o) = 0 {mod ) and \ o| < ■ 
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In time polynomial in (X)r=i 2"*), we can thus find the solution to 

noisy Chinese remaindering, provided that : This condition is 

analogous to the condition m n/ we obtained by applying GS algorithm to 
the noisy polynomial interpolation problem. The method is mentioned in [6]. 

5.2 Lattice-Based Methods 

Let = nr=i Pi- analogy to the lattice-based method of section 3, we define 
interpolation numbers in {0 . . . — 1} by : Li = 1 (modpi) and Li = 

0 (mod Wj^iPj)- The solution of noisy Chinese remaindering satisfies: 

n 

= ^( modpi)Li {mod ). 

We linearize the problem: letting ij equal to 1 if = i (modpi), and 0 
otherwise, one obtains 



ijLi (mod ). 

i=i j=i 

This equation basically says that is a small subset sum of the ijLi’s modulo 
. It is thus natural to consider the {nm+ 1 (-dimensional lattice L spanned by 
the rows of the following matrix: 

/ 0 0\ 

i.iLi 0 ... 0 

i,2Li 0 : 

: : ■■. ■■. 0 

\ n,mLn 0 . . . 0 j 

The lattice L is the set of integer row vectors ( ip 1,2 ■ ■ ■ n,m ) G 

Z”™+i such that = X^r=i (mod ). It contains the target 

vector ( ip i _2 ■■■ n,m )) which has norm \/ '^ + n ^ < ^/n+1. 

Since the previous matrix is triangular, the volume of L is simply x ”™. It 
follows that the target vector is expected to be the shortest vector of L when 

\/n -I- 1 <C ( nmy/inm+l) ^ l/(nm+l) 

that is ^/n <C ^ / (n-m+i) ^ condition should however be taken with care, 
as the lattice L cannot be considered as random. For instance, note that any 
sufficiently short linear relation between j_i j _2 ■ ■ ■ i,m gives rise to a shorter 
lattice point. It can be proved that such a case occurs when one of the pi’s is 
small or one of the | i | ’s is big (using the notion of orthogonal lattice [27] , see full 
version). As with noisy polynomial interpolation, one can improve the lattice L 
by considering the sublattice of points ( ip i_2 ■ ■ ■ n,m ) G L such 
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that, for all i and 2 , d.j = 12 ,j- However, the previous obstruction 

still holds (see full version of the paper). Thus, the lattice-based approach is 
unlikely to be useful for elliptic curve point counting or integer factorization. 
Still, the reduction can be proved for certain choices of the parameters, for we 
have the following analog of lemma 4. 

Lemma 6. Let d = ( i_i i _2 ■ ■ ■ n,m ) G satisfying (1) and 

shorter than the target vector. Assume that {m + l)-y/rr+T /2. Then: 

< - min(i(d),n-fc) 



where = minpj, is the least positive integer such that {m+l)\/n+l 
and t(d) = |{1< < n :3 €{1... m} \ ( ) such that ij ^ 0 modpi} |. 

This lemma is useful, when none of the | i\’s are big and none of the pfs are 
small (which is not the case arising in elliptic curve point counting or integer 
factorization) in which case one can obtain a provable reduction to the lattice 
shortest vector problem roughly similar to Theorem 1 since one can upper bound 
the probability that there exists a nonzero vector strictly shorter than the target 
vector. In particular, by taking all the pfs of the same size (such as 32 bits), it 
is easy to build instances for which the lattice-based approach can experimen- 
tally solve noisy Chinese remaindering with a bound much larger than with 
Coppersmith’s method. 



6 Conclusion 

We presented various methods to solve the noisy polynomial interpolation prob- 
lem. In particular, we proved the existence of a reduction from the noisy poly- 
nomial interpolation problem to the lattice shortest vector problem, for many 
choices of the parameters. This reduction appears to be very efficient in practice: 
experimental evidence suggest that many instances can be solved using standard 
lattice reduction algorithms. We therefore suggested simple modifications to sev- 
eral cryptographic schemes for which the security assumption relied on the com- 
putational hardness of noisy polynomial interpolation. We also briefly discussed 
analogous methods to solve the related noisy Chinese remaindering problem. 
The lattice-based approach is the best known method for certain choices of the 
parameters, but unfortunately not in applications such as elliptic curve point 
counting or integer factorization. There are several open problems, such as: 

— Is there a better^ reduction from noisy polynomial interpolation or Chinese 
remaindering to the lattice shortest vector problem ? 

— Is there a lattice-based method to solve the polynomial reconstruction prob- 
lem ? 

® holding for more or all choices of the parameters. 
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Abstract. We introduce an attack against the ISO/IEC 9796-1 digital 
signature scheme using redundancy, taking advantage of the multiplica- 
tive property of the RSA and Rabin cryptosystems. The forged signature 
of 1 message is obtained from the signature of 3 others for any public 
exponent v. For even v, the modulus is factored from the signature of 4 
messages, or just 2 for v = 2. The attacker must select the above mes- 
sages from a particular message subset, which size grows exponentialy 
with the public modulus bit size. The attack is computationally inex- 
pensive, and works for any modulus of I62:, I62: ± 1, or I62: ± 2 bits. 
This prompts the need to revise ISO/IEC 9796-1, or avoid its use in 
situations where an adversary could obtain the signature of even a few 
mostly chosen messages. 



1 Introduction 

ISO/IEC 9796-1 [I] [2] is an international standard specifying a digital signa- 
ture scheme giving message recovery, designed primarily for the RSA and Rabin 
public key cryptosystems. 

To sign a message , it is first transformed by inserting redundant infor- 
mation obtained by simple transformations of individual bytes of , producing 
the expanded message ; then the private key function S of the cryptosystem 
is applied, producing the signature = 5( ). 

To verify an alleged signature the public key function V of the cryptosys- 
tem is applied, producing an alleged expanded message ' = V( '); then the 
alleged message ' is recovered from ' by straightforward extraction, and it 
is checked ' is what it should be under the signature production process. 

ISO/IEC 9796-1 expansion makes it highly improbable that a randomly gen- 
erated value is an acceptable signature. It meets precise design criterias in order 
to guard against a variety of other attacks, see [3] and [2] . 

The recently introduced Coron-Naccache-Stern forgery strategy of [4] is ef- 
fective on a slightly simplified variant of ISO/IEC 9796-1. Motivated by this 
breakthrough and unaware of an extension to the full standard in [6] , the author 
made an independent effort to attack ISO/IEC 9796-1 and discovered a new, 
simple and effective method. 

In a nutshell, we efficiently construct many message pairs with 
equal to a common ratio. Forgery follows from the multiplicative property of the 
cryptosystem used: S{ ) = S{ )S{ ). 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 70-80, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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2 Definitions 

When there is no ambiguity, we assimilate a bit string of fixed length and the in- 
teger having this binary representation. Following ISO/IEC 9796-1 unless stated 
otherwise, we use the notations 

II Concatenation of bitstrings and . 

0 Bitwise exclusive OR of bitstrings and . 

[ ]i The bitstring of exactly i bits with [ ]j = mod 2b 
lcm( ) Least Common Multiple of and . 
gcd( ) Greatest Common Divisor of and . 

V Public verification exponent. 

Number of bits in public modulus. 

NB: the standard [1] often use s = — 1- 

Public modulus of bits, thus with 2*^“^ < 2^. 

Secret factors of , with = 

if V is odd, — 1 and — 1 are prime with v. 

if V is even, ( — 1 ) 2 and ( — 1 ) 2 are prime with v, 

= 3 mod 4 and = 0 4 mod 8 . 

( I ) Jacobi symbol of with respect to , used for even v only. 

( I ) = ( I )( I ) = ( mod )( ( 9 -i )/2 y 

For even v the construction of and is such that (2| ) = — 1. 

( I ) can be efficiently computed without knowledge of and . 
s Secret signing exponent. 

if V is odd, s u = 1 mod lcm( — 1 — 1), 

and as a consequence ( ^)*' = mod for any . 
if V is even, s u = 1 mod lcm( — 1 — 1 ) 2 , 

and as a consequence ( = mod if ( | ) = 0 l. 

Number of bytes a message fits in; < [( 0 2) 16J . 

Message to sign, which breaks up into the bytes string 

II rn^-i || || m2 || mi 

Message as expanded according to ISO/IEC 9796-1 (see below). 

NB: is noted in [1] and also in [2]. 

The signature of M. NB: is noted ( ) in [1] and [2]. 

if V is odd, = min( ^ mod — ^ mod ) 

if V is even, assuming gcd( ) = 1 which is highly probable, 

" =™’^(( 2 d-(M|„))/ 2 )“Od - ( 2 (i_(M|„))/ 2 )m 0 d ^ 

We restrict our attack and our description of ISO/IEC 9796-1 to the cases 
= 0 , 01 , or 02 mod 16, which covers many common choices of moduli, and to 
messages of = L( 0 2) 16J bytes, the maximum allowed message size. With 
these restrictions, the construction of the redundant message amounts to the 
local transformation of each byte m^ of the message by an injection j, yielding 
the redundant message 

= z{rriz) II || || 2(^2) || i(mi) 
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with the injections i transforming an individual byte rrii of two 4 bit digits 
II as defined by 

i( II ) = ( ) II ( ) II II |6]4 

.( II )= ( )ll ( )ll II fori z (1) 

.( II )=[l]i||[ ( )]fc+2modi6ll Oil II(®1) 

and where is the permutation on the set of 4 bit nibbles given by 





0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


A 


B 


C 


D 


E 


F 


( ) 


E 


3 


5 


8 


9 


4 


2 


F 




D 


B 


6 


7 


A 


C 


I 



or as an equivalent definition, if the nibble consists of the bits 4 || 3 || 2 || 1 , 
( ) = ( 4© 2 © 1 © 1 ) II ( 4© 3© 1©1) II ( 4© 3© 2 © 1 ) II ( 3© 2 © l)- 

3 The New Attack 

We essentialy select a pair of small positive integers , and search all the 
message pairs , that yield redundant messages verifying 



( 2 ) 



3.1 Choice of Ratio a/b 

Since the ratios and will uncover the same messages, we can restrict our 
choice of , to without missing any message pairs satisfying (2). Similarly, 
we can restrict ourselves to relatively prime , . Since and are strings of 
equal length with a 1 bit on the left, we must have 2 . We transform equation 
(2) into = , reduce mod 16, observe [ ]4 = [ ]4 = 6, get 6=6 mod 16, 

so we restrict ourselves to = mod 8. 

Thus in the following we restrict our choice for the ratio to relatively 
prime integers , with 9 < 2 and = mod 8. 

3.2 Making the Search Manageable 

Since the fraction is chosen irreducible, for an hypothetical message pair 
, verifying (2), we can uniquely define the integer such that 

= and = (3) 

We break up , into bytes, and, noticing that 9 < implies 2^®^ 
for our choice of , we break up into 16 bits strings 




= II W^-i II II W2 II Wi 
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We break up each of the two multiplications appearing in (3) into multiply 
and add steps operating on each of the Wi, performed from right to left, with 
— 1 steps generating an overflow to the next step, and a last step producing 
the remaining left ( + 2 mod 16) + 13 bits. We define the overflows 



0 — z — 0 _o— 2 — 0_ 

“i = L( Wi + ~i-i) i = L( Wi+ i-i) for 1 < z 



( 4 ) 



so we can transform (3) into the equivalent 

i{ i) = Wi + “i_i mod2^® i( i) = Wi + _i_i mod2^® for 1 < z , , 

i( z) = Wz + z-1 z( z) = Wz + z-1 

The search for message pairs , satisfying (2) is equivalent to the search 
of Wi, i, i, “i, i satisfying (4) (5). This is smaller problems, linked together 
by the overflows “i, i. 



3.3 Reducing Overflows a*, bi to One Link li 

Definition (4) of the overflows “i, i implies, by induction 



i — 


[ ]l6i 
2l6i 


and 


i — 


[ ]l6i 
2l6i 


Since 0 < [ ] 


ol6z 
16z ^ 


we have 








o< 


and 


0<“i 



( 6 ) 

( 7 ) 



We also observe that i and i are roughly in the ratio , more precisely 
equation (6) implies sucessively 



16i 



2l6i 



- 1 



— < 



Jl6i 



2l6i 



16i 



2l6i 
i + 1 



and 



Jl6i 



2l6i 

and — < i 



- 1 



16i 



2l6i 



i - 216 



: + 1 



IQi 



-- 1 



i + 1 



and 1 



i + 1 



so, as consequence of their definition, the i, i must verify 

i i 



( 8 ) 



For a given i with 0 < i , one or two “i are solution of (8): [ z J, and 
[ i J + 1 if and only if i_i mod > — . 

It is handy to group “z, z into a single link defined as 

li = i + i + 1 with 1 ^ + (9) 

so we can rearrange (8) into 




(10) 
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3.4 Turning the Problem into a Graph Traversal 

For 1 < i < we define the sets of triples 

i = {{k Wi k-i) 3( i i ~i i “i_i i_i) verifying (4)(5)(7)(9)(10)} 

and we define that {U Wi k-i) G % connects to {Ij w' Ij-i) G j when j = i—1 
and li-i = I'y Solving (2) is equivalent to finding a connected path from an 
element of z to an element of i. If this can be achieved, a suitable is 
obtained by concatenating the Wi in the path, and , follow from (3) . 



3.5 Building and Traversing the Graph 



The graph can be explored in either direction with about equal ease, we describe 
the right to left procedure. 

Initialy we start with the only link Iq = 1. At step i = I and growing, for 
each of the link at the previous step, we vary i in range [0 2® — 1] and directly 
compute 



Wi= { i( i) - 



-1 



mod 2^® 



( 11 ) 



Using an inverted table of i we can determine in one lookup if there exist an 
i such that 



.( .) = 



Wi + 




mod2i® 



(12) 



and in that case we remember the new triple Wi h-i) with the new link 



Wi + 


a li — i 
a-\-b 




Wi + 


bh-1 

a-\-b 






+ 






[ 216 


216 J 



(13) 



We repeat this process until a step has failed to produce any link, or we 
reach i = where we need to modify (11)(12)(13) by replacing the term 2^® by 

2(fc+2 mod 16) + 13^ ^ p 

If we produce a link in the last step i = , we can obtain a solution to (2) by 
backtracking any path followed, and the resulting graph covers every solutions. 

Exploration for the simplest ratio 9 17 stops on the first step, but 11 19 is 
more fruitfull. For = 256, and restricting to nodes belonging to a solution, we 
can draw the graph in figure 1. 

Using this graph to produce solutions to (2) is childishly simple: message 
pairs are obtained by choosing a path between terminals nodes, and collecting 
the message bytes i (resp. i) shown above (resp. below) the nodes^. 

^ As a convenience we have shown the bytes at, bi of messages A, B instead of the 
triples {li,Wi,k-i). 
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Fig. 1. Graph of solutions of (2) for k = 256 and a/b = 11/19 



For example, if we follow the bottom link, the graph gives messages 
=85f27d64ef 64ef 64efl52c07 

thus 

=14ba7bf39d f39d f39d6ad958 
'=458515f2fa7d2964clef 2964clef 2964clef 3415572cef 76 
''=78146bbaf67bl8f3da9d 18f3da9d 18f 3da9d2b6aadd94086 
with indeed =11 19. 

3.6 Counting Solutions 

It is easy to count the solutions: assign the count 1 to right nodes, and to all 
others the sum of the count of their right-linked nodes. The number of solutions 
to (2) is the sum of the count of the left nodes. This gives 42 for the graph above, 
which Douglas Adams fans will appreciate. 

Since the center part of the graph has a period of two steps, it is trivial to 
extend it for higher with = 0 mod 32. Asymptoticaly, this count grows by a 
factor '^ 2 ^ when the modulus is increased by 32 bits. 

If we take = 1024 bits and restrict to 2^°, there are 13264 ratios worth 
to explore. About 40% are eliminated on the first step, 9% have at least one 
solution to (2), 7% have at least two solutions. There are about 5 7 10^^ usable 
message pairs, among which 98% come from the ratio 389 525 which yields 2"^® 
solutions. The code computing the above statistics runs in a minute on a personal 
computer, and can output thousands of messages per second. 

Lower bounds on the number of pairs of solutions to (2) are derived by 
counting solutions for a good ratio 

2(fc-i64.7..)/i6 solutions for = —2 mod 16 using ratio 389 525 

1 62177 solutions for = —1 mod 16 using ratio 511 775 

2(fc-24o)/i6 solutions for = 0 mod 16 using ratio 389 525 

1 62177 (fc-227.6..)/i6 solutions for = 1 mod 16 using ratio 511 775 

2 (fc- 226 )/i 6 solutions for = 2 mod 16 using ratio 389 525 
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3.7 Existential Forgery from the Signature of 3 Chosen Messages 

By selecting a ratio and finding two messages pairs , and , solutions 
of (2), we can now construct 4 messages , , , such that 

" = " (14) 



With high probability, and are relatively prime^, so that 



and therefore, for odd v, 

= min( mod — mod ) 



(16) 



If we can obtain the three signatures , , , it is now straightforward to 

compute , using the extended Euclidian algorithm for the modular inversion 
of mod . 

For even v, equation (15) implies 



■■ =min(2^^ ■■ ■■ mod - 2^^ "-i " " mod ) 

with ; = 01^ + + 1^ + LiEd 

J rt ' n ' n ' n 



If ( I ) = ( I ) ( I ) = ( I ) ( I ) = ( I ) thus j is always 0. If 

(I ) = ~( I ) J is — 2, 0 or 2, the case j = 0 has probability about 1/2, and 
it is necessary to examine at most three message pairs before finding two such 
that j = 0. When j = 0, equation (17) reduces to (16) and again we obtain a 
forgery from three signatures. 

In summary we have one forgery from three signatures for any public expo- 
nent. Using the terminology in [8], it is a chosen messages existential forgery, 
in that the adversary is bound to pick from a predefined subset the messages 
submited for signature and the bogus message. More generaly, / forgeries can 
be obtained from f + 2 signatures. 



3.8 Total Break from the Signature of 4 Chosen Messages for Even v 

As pointed out in [7], for even public exponents v, finding a multiplicative relation 
among expanded messages can lead to factorisation of the public modulus . 

We select a ratio such that ( | ) = — ( | ), which for a given occurs for 
about half the ratios. We then test solutions of (2) until we find two messages 
pairs , and , solutions of (2) verifying ( | ) = 1 and ( | ) = — 1, with 
the probability of not finding a solution about halved after each trial. For even 
V, equation (15) implies 

22« = u with u = ±" " mod (18) 

else we would get a prime factor of n by computing gcd(A, n) 



2 
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where the term u is known^. Taking the above to the known power v 2 and 
reducing mod gives 

^v /2 ^ = (2| 2 = (2| ) 2 mod 



and similarly 



= (2| ) 2 mod 

Noticing that one of or is 3 mod 8 and the other is 7 mod 8, we have (2| ) = 
— (2 1 ). We deduce that + 2) mod is a multiple of only one of or . 
Therefore a prime factor of is gcd( -v /2 -vji «/2 _|_ 2 mod ). 

If we can obtain the four signatures , , , we can thus factor the 

modulus . Of course this let us compute a valid signing exponent s then sign any 
message just as easily as the legitimate signer, a total break using the terminology 
in [8], 



3.9 Reducing the Number of Required Signatures for Small v 



Assume we can find two messages , solution of 



V 

— = — with 

V ' 



(19) 



This implies 



" mod 



(20) 



For odd u, it follows that 

= min( mod — mod ) (21) 

and we obtain one forgery from a single signature. 

For even u, we can similarly obtain forgery from a single signature if ( | ) = 
(I ), or factor the modulus from two signature if ( | ) = — ( | )• 

Solutions to (19) can be found for v = 2. For example with v = 2 and 
= 1024, 21 among the 1933 irreducible ratios with 2^® give 22645 message 
pairs, among which 16059 for the ratio 19^ 25^. An example for = 512 is: 
ECE8F706C09CA276A3FC8F00803C821D90A3C03222C37DE26F5C3FD37A886FE4 
CA969C94FA0B801DDEEA0C22932D80570F95A9C767D27FA8F06A56E7371B16DF 
For V = 3 the search becomes more difficult, with only 7 ratios and message 
pairs for 2^® and 510 < < 2050, and many values of without a solution. 

An example is = 510 and ratio 49® 57® which gives the message pair: 
C6C058A3239EE6D5ED2C4D17588B02B884A30D92B5D414DDB4B5A6DA58B6901B 
20768B854644F693DB1508DE0124B4457CD7261DF699F422D9634D5E4D5781A4 

® within sign; we could recover the sign, but it is not needed. 
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3.10 Constraints on Signed Messages 

We have seen the number of usable message pairs is huge, and grows exponentialy 
with the modulus bit size, by a factor of 2 or 1.62177.. for every 16 bit of modulus. 
The attacker can, with remarkable ease, select among this mass those messages 
obeying a particular constraint, simply by restricting the range of bytes allowed 
at some stage in the graph construction. 

For example with = 0 mod 16 the ratio 389 525 generates many mostly 
ASCII message pairs, like 

2B0D59B00D060D8FF65300B56A3A3D3D3D3D3D3D3D3D3D3D3D3D3D3D 3D3D3D37 
A50F7D50962A02BDE981A4B28D9F5A5A5A5A5A5A5A5A5A5A5A5A5A5A 5A5A5A26 
If we restrict all message bytes to [32 126] U [160 255], a subset of what 
Windows considers displayable, it is still easy to generate messages pairs; for 
example with = 512 the ratio 169 217 gives 682 message pairs like 
5374FC56DEA856DEA856DEA856DEA856DEA856DEA856DEA856DEA856439F22CF 
27D36E26425A26425A26425A26425A26425A26425A26425A26425A26CD1EB6F1 
and 

53A856DEA856DEA856DEA856DEA856DEA856DEA856DEA856DE74FCA3C7711BAF 

275A26425A26425A26425A26425A26425A26425A26425A2642D36E0D81C70B21 

3.11 Generality of the Attack 

The idea of searching solutions to (2) could apply to other redundancy schemes, 
though no actually used system comes to mind. The same search principle effi- 
ciently finds the solutions, if they exist, for any redundancy scheme that operate 
on independant segments of the message, regardless of the tranformations used, 
as long as the width of the individual segments do no prevent exhaustive search. 
The search can be conducted sequentialy in either direction, and works equally 
well if the redundancy added is dependant on the whole portion of the message 
on some fixed side of the segment, rather than on the segment alone. 

Experimentally, the existence of solutions to (2) appears independant of the 
particular permutation ( )• It does depends to some degree on the repeated 
use of the same local injection, because that makes the center of the graph 
more regular. It does depend heavily on an amount of redundancy not markedly 
exceeding the message itself. 



4 Future Work 

4.1 Other Parameters 

We have restricted our attack to = 0, ±1, or ±2 mod 16 and to messages 
of = [( + 2) 16] bytes, the maximum allowed message size. The difficulty 
appears to increase quickly as the message gets shorter than half the modulus. 
The attack does works without modification for messages a few bits shorter, and 
maybe could be extended to any value of . 
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4.2 Attack of ‘Massive Mask Changes’ Variants 

As a countermeasure against the attack of [4], it has been envisioned in [5] to 
use not only three injections like in the original standard, but injections i 
depending on i. Although the above search method applies, the author did not 
yet establish if (2) has solutions for some ratios with the particular variants^ 
proposed. 



4.3 Combination with Other Attacks 

Other attacks against ISO/IEC 9796-1 introduced in [4] then perfected in [6] 
construct messages which expanded form is the product of a common 
constant F and small prime factors, then by gaussian elimination find a multi- 
plicative relation similar to 14, although among thousands messages. 

The technique we describe can be used to efficently find messages satisfying 
(2) where and only have small prime factors. This gives a relation readily 
usable in the gaussian elimination process. The combined attack can operate on 
a wider range of messages, yet still has modest computing requirements. 



5 Conclusion 

Our attack applies to the full ISO/IEC 9796-1 standard, with common param- 
eters: public modulus of 16,16 ± 1, or 16 ±2 bits, and messages of 8 bits. 
Using an inexpensive graph traversal, we constructs 2 messages pairs which ex- 
pansion are in a common ratio, giving 4 messages which signatures are in a 
simple multiplicative relation. 

For any public exponent v, the attack obtains the forged signature of 1 such 
message from the legitimate signature of 3 chosen others, or asymptotically 
nearly one forgery per legitimate signature; it is a major concern for exam- 
ple if obtaining a signature is possible for a price, and forged signatures have a 
value for messages the attack applies to. 

For even v, the attack is a total break in situations where an attacker can ob- 
tain the signature of 4 chosen messages (or just 2 for u = 2). It is a major concern 
for example if the attacker can gain limited access to a signing device accepting 
arbitrary messages, as likely with an off-the-shelf Smart Card implementation 
of ISO/IEC 9796-1. 

The messages the attack can use are computationally easy to generate. Their 
number grows exponentialy with the modulus size. Messages can efficiently be 
found including with a small degree of constraint on the message structure. 

This prompts the need to revise ISO/IEC 9796-1, or avoid its use in situations 
where an adversary could obtain the signature of even a few mostly chosen 
messages. 

^ Remarking that U{x (B y) ~ n{x) © II (y) © 77(0), two of the three variants differ 
only by the choice of arbitrary constants. 
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Abstract. ISO 9796-1, published in 1991, was the first standard specify- 
ing a digital signature scheme with message recovery. In [4], Coron, Nac- 
cache and Stern described an attack on a slight modification of ISO 9796- 
1. Then, Coppersmith, Halevi and JutIa turned it into an attack against 
the standard in full [2]. They also proposed five countermeasures for re- 
pairing it. In this paper, we show that ail these countermeasures can be 
attacked, either by using already existing techniques (including a very 
recent one), or by introducing new techniques, one of them based on the 
decomposition of an integer into sums of two squares. 



1 Introduction: ISO 9796-1 and Forgery 

The first standard on digital signature scheme with message recovery is ISO 9796- 
1 [10]. At the end of 80’s, no hash-function standard was available. Consequently, 
ISO 9796-1 used only redundancy function to resist attacks that exploit the 
multiplicative property of the RSA cryptosystem. The precautions taken in this 
standard are described in [8]. Until the rump session of Crypto ’99, no known 
attack [13] was able to forge a signature complied with the ISO 9796-1 standard. 

1.1 The ISO 9796-1 Standard 

This standard specifies how a message m is encoded to a valid message 
before applying the RSA signature function. Only redundancy is used, no hash- 
function. Notations used in this paper to describe encoded functions are the 
same as in [2] : 

— s(a;): the function mapping 4 bits of message to 4 bits of redundancy. It is 
an Hamming code (8, 8, 4). 

— s{x): the result of setting the most significant bit of s{x) to 1: 

s(x) = s{x) OR 1000 . (1) 

— s(a;): the result of Hipping the least significant bit of s(a;): 

s{x) = s(x) 0 0001 . (2) 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 81-90, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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When the length of the modulus is 16z+l bits and the length of the message 
is 82 + 1 bits, the encoding function, or redundancy function ^iso, is defined as 
follows: 



s(m/_3)s(m/_4)m/_3m/_4 



s(m3)s(m2)m3m2 
s(mi)s(mo)mo6 . 



(3) 



1.2 Attack against a Slight Modification of ISO 9796-1 

At first, a new strategy of forgery was presented at Crypto ’99 by Coron, Nac- 
cache and Stern in their paper [4]. They described an attack against a slight 
modification of ISO 9796-1. Their forgery is possible when the length of the 
modulus is 16z + 1 bits, the length of the message is 8 z -I- 1 bits, and the valid 
message ^(m) is defined as follows: 

^(m) = s(m/_i)s(m/_ 2 )m/_im /_2 
s(m/_3)s(m/_4)m/_3m/_4 

(4) 

s(m3)s(m2)m3m2 
s(mi)s(mo)mo6 . 



Remark 1. ^i{m) = ^iso{m) except that 3 ( 1711 - 2 ) is replaced by 3 ( 1711 - 2 )- 



1.3 Attack against ISO 9796-1 and Countermeasnres 

At the rump session of Crypto ’99, Coppersmith, Halevi and Jutla described a 
modified version of the attack of Coron, Naccache and Stern to forge a signature 
of a chosen message when the encoding function p-iso of ISO standard is used, 
i.e. (3). After Crypto conference, they submitted a contribution [2] to “IEEE 
P1363 research contributions”. In their paper, they proposed five possible coun- 
termeasures to avoid forgeries. Their solutions avoid Coron-Naccache-Stern-like 
forgeries, but not all forgeries as we show now. 

More precisely, we present various chosen messages attacks against all the 
five countermeasures, in which the signatures of two (or three) messages chosen 
by the enemy allow him to forge the signature of another one. 



2 Massive Mask Changes 

Coppersmith, Halevi and Jutla propose three solutions based on the massive 
mask change technique. In their propositions, they use the same principle of 
dispersion as in ISO 9796-1. 

Remark 2. These three propositions allow message recovery, but nothing notifies 
the length of the message. In ISO 9796-1 [10], a nibble was modified in order to 
mark the length of the message. 
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2.1 Hx- Fixed Redundancy 

In the first proposition, /ii, only fixed redundancy is used. The z’th nibble, tt^ 
in the hexadecimal expansion of the irrational number tt = 3.14159..., is used 
to obtain redundancy. Note that the number of bits of redundancy is half the 
number of bits of the RSA modulus n. 



^i{m) = 7r/_i7r/_2m/_im/_2 

7r/_37T/_4m/_3m/_4 



( 5 ) 



TTiTTomimo . 



The Coron-Naccache-Stern-like forgeries are avoided. But we are at the limit of 
the efficiency of the forgery described in [12], which allows to find three messages 
mi, m2, m3 such that izi(mi)/ii(m2) = /ri(m3) (mod n) and therefore, given 
signatures of mi and m2, forge the signature of m3. Moreover, the limit of this 
attack is heuristic. Consequently, the forgery in [12] may be used. 



2.2 /X 2 and /X 3 : Irrational Numbers and Exclusive-OR 

With ^2 and ^3, the attacks based on the Coron-Naccache-Stern forgery [4], [2], 
are also avoided. In these cases, the z’th nibbles, tti and in the hexadecimal 
expansion of the irrational numbers tt = 3.14159... and e = 2.71828... respec- 
tively, are used. Moreover, the native redundancy of ISO 9796-1 is present and 
plays its role to defeat the other forgeries [13]. 

M 2 (w) = (7T/_1 0 s(m/_i))(7T/_2 © s(m/_2 ) )m/_ 1 m/_2 
(7T/_3 © s(m/_3))(7T/_4 © s(m/_4))m/_3m/_4 

(tti © s(mi))(7To © s(mo))mimo . 



^ 3 (m) = (7T/_i © s(m/_i © e/_i))(7T/_2 © s(m /_2 © e/_ 2 ))m/_im /_2 
(7T/_3 © s(m/_3 © e/_3))(7T/_4 © s(m/_4 © e/_4))m/_3m/_4 

(tti © s(mi © ei))(7To © s(mo © eo))mimo . 

Nevertheless, a new attack by Grieu [6], disclosed in October 1999, can be applied 
to these functions of redundancy. This attack is originally against the ISO 9796-1 
[10], but the principle of this attack can be used to forge a signature when ^2 or 
/i3 is the redundancy function in a signature scheme. This forgery is based on the 
multiplicative property of the RSA cryptosystem and, for any public exponent, 
the forged signature of a message is obtained from the signature of three other 
messages. This attack is computationally inexpensive and works for modulus of 
16z, 16z ± 1, or 16z ± 2 bits. 
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3 Length Expanding Encoding: ^ 4 ^ 

The encoded function /i4 involves encoding the message m into a string longer 
than the modulus n. This solution does not have the property of message recov- 
ery. Two constants cq and ci are fixed, each half the length of the modulus n. 
The message m is also half the length of the modulus. The redundancy function 
^4 is defined^ as follows : 

^4(m) = (m-l- co)||(m-|- ci)||m . (8) 

We can easily write /j-4 as an affine function: 

= {m + co)\\{m + ci)||m 
= {m + co)2“ + {m+ c\)2^ + m 
= m(2“-k2^-kl)-kco2 “-kci 2^ (9) 

^ ^ V ^ 

UJ O' 

= muj + a . 

We are at the limit of the efficiency of the forgery described in [5] against signa- 
ture scheme with an affine function of redundancy. This forgery allows to find 
three messages mi, m2, m3 such that /i4(mi)^4(m2) = /i4(m3) (mod n) and 
therefore, given signatures of mi and m2, forge the signature of m3. Moreover, 
the limit of this attack is heuristic. Consequently, the forgery in [5] may be used. 

4 Encoding via Sqnaring: 

The redundancy function /is is defined as follows : 

fisim) = m^ + 6 . (10) 

where <5 is a fixed random constant of about the same size as the RSA modulus 
n and the message m is less than the square root of the modulus n. We present 
two forgeries when /is is used. 

First Forgery^: Forges the signature of the message (mi m2 -I- <5 (mod n)) with 
the signatures of mi and m2 such that: 



m 2 = mi + 1 . ( 11 ) 

Second Forgery: Forges the signature of a message in the set {x, y, z, t} when 
we can write A = 2 {n — 6) as at least two different sums of two squares: 

A = x'^ + y'^ = z'^ + t^ (x, y) yf {z, t) and (y, x) yf {z, t) . (12) 

^ The symbol || denotes the concatenation of two strings. 

^ Discovered independently by D. Naccache. 
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4.1 First Forgery 

Let mi and m 2 be two messages such that : 



m 2 = mi + 1 



(13) 



Then we have : 

^5(mi)^5(m2) = {ml + S){ml + S) 

= (mim 2 )^ -I- S{ml + ml) + <5^ 

= (mim 2 -I- (5)^ — 2mim2<5 -I- S{ml + ml) 
= (mim 2 -I- (5)^ -I- 6{ml — 2mim2 -I- ml) 

= (mim 2 -I- (5)^ -I- (5 (mi — m 2 )^ 

^ 

1 

= ^5 (mi m 2 -I- S) 

= /is (mi m 2 -I- (5 (mod n)) (mod n) . 



Now, we can find mi and m 2 s.t. mim 2 + S (mod n) is less than ^/n by choosing 
mi close enough to ^/n — 5. More precisely, let mi = -I- 9 such that 

^ € [- 5 , \]. Then : 

mim 2 -I- (5 = mi (mi -I- 1) -I- (5 
= ml+mi + 5 

= (V^r^+0)2 + (V^r^+0)+5 
= {29 + l)i/n — (5 -I- 9{9 + 1) (mod n) . 

and will be certainly (resp. possibly) smaller than y/n if 0 € [— O] (resp. if 
9 G ]0, j]). Of course, other values of mi and m 2 can be suitable, depending 
on the value of i/n — S. Moreover, one can choose a large value for 9 as long as 
mi m 2 -I- S (mod n) is less than ^Jn. 



4.2 Second Forgery 

The second forgery uses the fact that many integers can be written as sums of 
two squares in (at least) two different ways. This will be applied to various values 
of = 2{n — 6), where n is a RSA modulus. Roughly speaking, if we can write: 

A = x'^ + y'^ = z'^ + f, {x,y) and {y,x) {z,t) ■ (16) 

then it comes (see (25)): 

yb{x)yb{z) = yb{y)9'b{t) (mod n) . (17) 

and the signature of any message in the set {x, y, z, t} can be deduced from the 
signatures of the three other ones. To do that, we first need to recall some basic 
results from (computational) number theory. 




86 



Marc Girault and Jean-Frangois Misarsky 



The Sum of Two Squares in Two Ways. In 17*^ century, Fermat proved 
that every prime p such that p = I (mod 4) has a unique decomposition as a sum 
of two squares and, more generally, that an integer n has such a decomposition 
if and only if all its prime factors such that p = 3 (mod 4) have even exponents 
in the factorization of n. In the latter case, the number of essentially different 
decompositions^ is 2^“^, where k is the number of primes such that p = 1 
(mod 4) [9]. Here, we will be specially interested in the case k> 2. 



Remark 3. (Gauss) If a number n can be written as a sum of squares then n has 
IIi(e»+i) representations^ [7, section 182] where the Cj are the powers of the 
prime factors pi of n such that Pi = 1 (mod 4). 



Diophante’s identities are crucial in the proof of these theorems. We recall 
them: 



(a^ + b^)(c^ + (P) = (ac — bd)'^ + {be + ad^ = ^i + fi 
= {ac + bd)^ + {be — ad)^ = 62 + /! ■ 



(18) 



They show that the product of two sums of two squares is still the sum of two 
squares, and in two different ways (see example 1). There is an exception to the 
latter statement: if one of the initial sums is equal to 2 (= 1^ + 1^), then the 
two identities become only one, and the decomposition remains the same (see 
example 2). 

Example 1. 

13.17= (22 + 32)(42 + 12) 

= (2.4 - 3.1)2 (3 4 2.1)2 = 52 142 (^9) 

= (2.4 + 3. 1)2 + (3.4-2. 1)2 = 112 + 1Q2 . 

Example 2. 

2.13 = (12 + 12)(22 + 32) 

= (1.2- 1.3)2 + (1.2 + 1.3)2 = 12 + 52 (20) 

= (1.2 + 1.3)2 + (1.2 - 1.3)2 = 52 + 12 . 



Now, the point is to make, when existing, these decompositions efficient. In 1908, 
Cornacchia [3] showed how to use Euclid’s algorithm to find the decomposition 
of a prime p equal to 1 modulo 4 [1, pages 34-35], [15] . It can be briefly described 
as follows: And a square root z of — 1 modulo p, then apply Euclid’s algorithm 
to p and z, until the remainder x is smaller than y/p. Then it can be proven that 
p — a;2 is a square and we have: p = x^ + y^. 

Finally, it is trivial to remark that the product of a square and of a sum of 
two squares is still a sum of two squares: 

C^{x^ + y^) = {Cxf + {Cyf . 

^ n = with gcd(a, 6) = 1 and (a, 6) € N x N . 

n — c? with (a, &) € N X N. 



(21) 
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As a consequence of all these facts, if we can write A = 2(n — S) as a product 
in the form: 



k k 

C^l[p, or 2C^l[p, . (22) 

i=l i=l 



where the pi are equal to 1 modulo 4 and k > 2, then, by applying Cornacchia’s 
algorithm to the pi and applying Diophante’s identities to its outputs, we will 
obtain at least 2^~^ different decompositions of A in sums of two squares. 

Example 3. n = 493 = 17.29 and <5 = 272. 

Then A = 2{n-6)= 2.13.17. 

We have 13 = 2^ -h 3^, n = + 1^. 

And, by applying Diophante’s identities: 

A = 2(52-^142) = (12- p 12)(52 + i 42) =92.^192 

= 2(112 ^ j^q2) = + 21^ . 



If we cannot write A as such a product, either because its factorization reveals 
a prime equal to 3 mod 4 with an odd exponent, or reveals only one prime equal 
to 1 modulo 4, or simply because we failed in factorizing n — 6, then we have to 
try again with another value of n. This leads to the following forgery method. 



Forgery. 

Step 1: Try different moduli n until obtaining: 

A = a;2 -h j/2 X, y, z, t < ^ . 

= + {x, y) yf (z, t) and (y, x) ^{z,t) . 

Step 2: Obtain the signature of 3 messages in the set {x, y, z, t}. 

Step 3 : Use the following relation to compute the signature of the remaining 
message: 

P-5{x)p5{z) = (x^ + <5)(z2 + S) 

= {A-y^ + S){A-t^ + S) 

= {-y^ - 5){-e - 5) (25) 

= {y^ + 5){e + 5) 

= kb{y)p-b{t) (mod n) . 

Example 4- n = 493 = 17.29 and S = 272. 

Then A = 9^ -|- 19^ = -p 21^ (see example 3). 



y5(9)M5(l) = (92 + 272)(C + 272) 

= 234 (mod 493) . 



And, 



^5(19)^5(21) = (192 -h 272)(212 -y 272) 

= 234 (mod 493) 



(26) 



(27) 




Marc Girault and Jean-Frangois Misarsky 



Remark 4- The attack can be extended to ^ = 3n — 2<5, if <5 > J (if not, A will 
be too large and some elements in the set {x, y, z, t} will be greater than ^/n). 



Example 5. We try our attack on the signature scheme where the RSA-modulus 
is the modulus specified in the Annex A of ISO 9796-1 [10]. All values in this 
example are in hexadecimal. 



p = BA09106C 754EB6FE BBC21479 9FF1B8DE 

1B4CBB7A 7A782B15 7C1BC152 90A1A3AB 



q= 1 6046EB39 E03BEAB6 21D03C08 B8AE6B66 
CFF955B6 4B4F48B7 EE152A32 6BF8CB25 



n= 1 00000000 00000000 00000000 00000000 
BBA2D15D BB303C8A 21C5EBBC BAE52B71 
25087920 DD7CDF35 8EA119FD 66FB0640 
12EC8CE6 92F0A0B8 E8321B04 1ACD40B7 

Let S a random constant of about the same size as the modulus n: 

S = FFE3B564 A0CB8C6C 6585C9CF A1CFC64B 
64B0C0F9 6CE980F5 ACC276C1 13045D1D 
05B1D218 D58C7D32 2387A305 9547EC31 
CF62CA5D 8C316E99 24B7F2C1 8A873FAE 

Compute the factorization of A: 

A = 2(n — S) 

= 2.2F9.2F9D10D. 

200000011^3FE9820B7AE6D®. 

3385F065A24DB4467E066FBBD577A0C6F6D119 



(28) 



(29) 



(30) 



(31) 



(32) 



With the Cornacchia algorithm and by applying the Diophante’s identities we 
obtain 72 couples of values {at, bi) such that aj + b'j = A. And all these values 
are less than yAr. We give 4 couples as examples: 

ai = 10F26AC8 379A5197 8F6D6E3E 17461ED9 

1642DE79 C90D14D5 923190C6 DOAOEB , . 

bi = 78599149 C677F865 48F58E83 DA99C194 
9F653DBD FAEA8B8C 02BCDD8D 04F7F5B 



02 = 15CCECF3 6BC80743 296A7F88 78FFC0E2 
D509B3C9 B1EA0B53 8FE5036E B23E93 
62 = 7858C944 CDCA3E18 0B0477F2 C6728C54 
BC4ADCD1 17361A46 2C0D7267 8661173 
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as = 274AEA5B 8289F65F 2C849CA7 DA69F691 
15430C53 4EA3101F ACF 6 B 8 A 8 673DDF 
63 = 78545894 164142A8 FC5E800A 3DAC3705 
BBAD4B7C 46AE5A24 1B4D5830 E9FC137 



04 = 4CE8CD96 B9920AB2 075E197C 564950E1 
18BA416D 9FEC2BDF 5BE6BBEF C18F45 
64 = 78422D6B ED414DAD 9BE47D08 F2CF8EF8 
D742C8E5 C0440C45 F2B3300E B3E4A75 



5 Conclusion 

We have shown that all the countermeasures described in “ISO 9796 and the 
new forgery strategy (Working Draft)” [2] by Coppersmith, Halevi and Jutla 
can be attacked. For two propositions, we use previous forgeries presented at 
Eurocrypt ’97 and Crypto ’97. For the propositions two and three, ^2 and ^3, 
a recent attack is used. Moreover, we present two new ways to forge a signature 
when the last proposition is used. 

Our contribution on the cryptanalysis of signature schemes with redun- 
dancy, after De Jonge-Chaum [11], Girault-Misarsky [5], Misarsky [12], Coron- 
Naccache-Stern [4] and Coppersmith-Halevi-Jutla [2] shows that is very difficult 
to define this kind of scheme. But, perhaps it is a good challenge for a year with 
a high level of redundancy (three zeroes) such as the year 2000. 
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Abstract. We exhibit an attack against a signature scheme recently 
proposed by Gennaro, Halevi and Rabin [9]. The scheme’s security is 
based on two assumptions namely the strong RSA assumption and the 
existence of a division-intractable hash-function. For the latter, the au- 
thors conjectured a security level exponential in the hash-function’s di- 
gest size whereas our attack is sub-exponential with respect to the digest 
size. Moreover, since the new attack is optimal, the length of the hash 
function can now be rigorously fixed. In particular, to get a security level 
equivalent to 1024-bit RSA, one should use a digest size of approximately 
1024 bits instead of the 512 bits suggested in [9]. 



1 Introduction 

This paper analyses the security of a signature scheme presented by Gennaro, 
Halevi and Rabin at Eurocrypt’99 [9]. The concerned scheme (hereafter GHR) 
uses a standard (public) RSA modulus and a random public base . To sign 
a message , the signer computes the -th root modulo of with = ( ) 

where is a hash function. A signature a is verified with = mod . 

The scheme is proven to be existentially unforgeable under chosen message 
attacks under two assumptions: the strong RSA assumption and the existence 
of division-intractable hash-functions. The originality of the construction lies in 
the fact that security can be proven without using the random oracle model [3] . 

In this paper we focus on the second assumption, f.e. the existence of division- 
intractable hash- functions. Briefly, a hash function is division-intractable if it is 
computationally infeasible to exhibit a hash value that divides the product of 
other hash values. Assimilating the hash function to a random oracle, it is con- 
jectured [9] based on numerical experiments that the number of -bits digests 
needed to find one that divides the product of the others is approximately 2^/®. 
Here we show that the number of necessary hash- values is actually subexponen- 
tial in , namely exp((-y/2 log 2/2 + o(l)).y/ log ). 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 91-101, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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The paper is organised as follows. We briefly start by recalling the GHR 
scheme and its related security assumptions. Then we describe our attack, eval- 
uate its asymptotical complexity and, by extrapolating from running times ob- 
served for small digest sizes, estimate the practical complexity of our attack. We 
also show that the attack is asymptotically optimal and estimate from a simple 
heuristic model the minimal complexity of finding a hash value that divides the 
product of the others. 

2 The Gennaro-Halevi-Rabin Signature Scheme 

2.1 Construction 

The GHR scheme is a hash-and-sign scheme that shares some similarities with 
the standard RSA signature scheme: 



Key Generation: Generate a RSA modulus = p ■ , product of two primes 
p and of about the same length and a random element G Z* . The public key 
is ( ) and the private key is (p ). 

Signature Generation: To sign a message , compute an odd exponent = 
( ). The signature a is: 

a = mod 

where (f>{ ) = {p — 1)( — 1) is Euler’s function. 

Signature Verification: Gheck that: 

= mod 



2.2 GHR’s Security Proof 

The originality of the GHR signature scheme lies in the fact that its security can 
be proven without using the random oracle model. In the random oracle model, 
the hash function is seen as an oracle which outputs a random value for each new 
query. Instead, the hash function must satisfy some well defined computational 
assumptions [9]. In particular, it is assumed that the hash function family is 
division-intractable. 

Definition 1 (Division Intractability [9]). A hashing family Ti is division 
intractable if finding h G H and distinct inputs i . . . n, such that h{ ) 
divides the product of the h{ i) values is computationally infeasible. 

The GHR signature scheme is proven to be existentially unforgeable under 
an adaptive chosen message attack, assuming the strong RSA conjecture. 
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Conjecture 1 (Strong-RSA [2]) Given a randomly chosen RSA modulus 
and a random G Z* , it is infeasible to find a pair ( ) with > 1 such that 

® = mod . 

An opponent willing to forge a signature without solving the strong-RSA 
problem can try to find messages i ■ ■ ■ r such that ( ) divides the 
least common multiple of ( i) . . . ( r)- In this case, we say that a division- 

collision for was exhibited. Using Euclid’s algorithm the opponent can obtain 
1 . . . r such that: 



( ( r) lcm( ( i) ... ( ,.)) . ( ) 

and forge the signature ct of from the signatures of messages i by: 

(flO^ ™od 

i=l 

If 7d is division-intractable then it is infeasible for a polynomially bounded at- 
tacker to find a division collision for a hash function in 7d. In particular, a random 
oracle is shown to be division-intractable in [9] . 

A natural question that arises is the complexity of finding a division collision, 
if one assumes that the hash function behaves as a random oracle, i.e. outputs a 
random integer for each new query. This question will condition the choice of the 
signature scheme’s parameters. [9] conjectures (based on numerical experiments) 
a security level exponential in the length of the hash function, namely that the 
number of hash calls necessary to obtain a division-collision is asymptotically 
2^/® where is the digest size. To get equivalent security to a 1024-bit RSA, [9] 
suggests to use 512-bit digests. In the next section, we exhibit a sub-exponential 
forgery and study its consequences for the recommanded digest size. 

3 A Sub-exponential Attack 

The outline of our attack is the following: we first look among many digests to 
find a smooth one, i.e. a hash value that factors into moderate-size primes pi. 
Then for each of the pi we look for a hash value divisible by pi, so that the 
smooth hash value divides the least common multiple of the other hash values. 



3.1 Background on Smooth Numbers 

Let be a positive integer. We say that an integer is -smooth if each prime 
dividing is < . An integer is -powersmooth if all primes powers dividing 

are < . Letting ( ) denote the number of integers 1 < < such that 

is -smooth, the following theorem gives an estimate of the density of smooth 
numbers [5]: 
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Theorem 1. If e is an arbitrary positive constant, then uniformly for > 10 
and > (log 



( ) = u-“+°(“) as ^ oo 

where u = (log ) / (log ) . 

In particular, setting = Lx[ ] = exp (( + o(l))y^Iog log log ), the prob- 
ability that a random integer between one and is Lx[ J-smooth is: 



The proportion of squarefree integers is asymptotically 6/ ^ [10] . Letting i ( ) 

denote the number of squarefree integers 1 < < such that is -smooth, 

theorem 3 in [10] implies that the same proportion holds for -smooth numbers: 



under the growing condition: 

log 

log log 



( ) ( 1 ) 

( ^ oo) 



A squarefree -smooth integer is -powersmooth, so letting '( ) denote the 

number of integers 1 < < such that is -powersmooth, we have for all 

> 0 : 

i( )< '( )< ( ) 

which using (1) shows that for = L^l ], the probability that a random integer 
between one and is -powersmooth is: 



'( ) 




3.2 The Attack 

In the following we assimilate the hash function to a random oracle which outputs 
random integers between one and . Given a set S of random integers, we say 
that ( 1 . . . r) is a division-collision for 5 if i . . . r & S and divides 

the least common multiple of i . . . r- 

Theorem 2. Let 5 = { i . . . y} be a set of v random integers uniformly 
distributed between one and . If v = Lx[V^/2] then there exist a probabilistic 
Turing machine which outputs a division- collision for S in time La;[-\/2/2] with 
non-negligible probability. 
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Proof: Using the following algorithm with = ^[212, a division-collision is 
found in time Lx[\/2/2\ with non-negligible probability. 

An algorithm finding a division-collision: 

Input: a set 5 = { i ... „} of f = Lx[\/2/2\ random integers between one 

and . 

Output: a division-collision for S. 

Step 1: Look for a powersmooth k & S with respect to = Lx[ ], using 
Pollard-Brent’s Method [4] or Lenstra’s Elliptic Curve Method (ECM) [11] to 
obtain: 



k = W_pT with < for 1 < < (2) 

Step 2 : For each prime factor pi look for G S with ji yf such that 

= 0 mod , whereby: 

fc| lcm( ... 

Pollard-Brent’s method finds a factor p of in 0{,Jp) expected running 
time, whereas the ECM extracts a factor p of in Lp [\/2\ expected running time. 
Using Pollard-Brent’s method at step 1, an La; [ ]-powersmooth ( ) is found in 
expected La; [1/(2 )]-La;[ /2]= La;[l/(2 ) -|- /2] time. Using the ECM an La; [ ]- 
powersmooth ( ) is found in La; [1/(2 )] • La;[o(l)j = La; [1/(2 )] operations. 
Since < , the second stage requires less than = La;[ ] operations. 

The overall complexity of the algorithm is thus minimal for = 1 when using 
Pollard-Brent’s method, resulting in a time complexity of La,[lj. The ECM’s 
minimum complexity occurs for = ^/2 /2 giving a time complexity of [\/2 /2] . 

□ 



Moreover, the following theorem shows that the previous algorithm is opti- 
mal. 

Theorem 3. Let 5={i... he a set of v random integers uniformly 
distributed between one and . If v = L^l ] with 'J2j2, then the probability 
that one integer in S divides the least eommon multiple of the others is negligible. 

Proof: See appendix A. 

□ 



Consequently, assuming that the hash function behaves as a random oracle, 
the number of hash values necessary to exhibit a division-collision with non- 
negligible probability is asymptotically Lx[\/2/2] and this can be done in time 

L,[V2/2]. 
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3.3 The Attack’s Practical Running Time 

Using the ECM, the attack has an expected time complexity of: 

/2 

La;[v^/2] = exp ((— + o(l))i/log loglog ) (3) 

It appears difficult to give an accurate formula for the attack’s practical 
running time since one would have to know the precise value of the term o(l) in 
equation (3). However, extrapolating from (3) and the running times observed 
for small hash sizes, we can estimate the time complexity for larger hash sizes. 

We have experimented the attack on a Pentium 200 MHz for hash sizes of 
128, 160, and 192 bits, using the MIRACL library [12]. In Table 1 we summarize 
the observed running time in seconds and the logarithm in base 2 of the number 
of operations (assuming that the Pentium 200 MHz performs 200- 10® operations 
per second). 



Table 1. Experimental running times in seconds and log 2 complexity (number 
of operations) of the attack for various digest sizes 



digest size in bits 


time complexity in seconds 


log 2 complexity 


128 


3.5 • 10^ 


36 


160 


3.6 • 10'’ 


39 


192 


2.1 • lO"" 


42 



Assuming that the complexity of the attack (number of operations) can be 
expressed as •exp(-\/2/2VTog loglog ), the experimental complexity for a 192- 
bits hash size gives =6.1-10^, from which we derive in Table 2 the estimated 
complexity for larger hash sizes. The estimate may be rather imprecise and only 
provides an order of magnitude of the attack’s complexity. However, the results 
summarized in Table 2 suggest that in order to reach a security level equivalent 
to 1024-bit RSA, digests should also be approximately 1024-bit long. Finally, 
we describe in the full version of the paper [6] a slightly better attack for the 
particular hash function suggested in [9]. 

4 Minimal Number of Hash Calls Necessary to Obtain a 
Division-Collision 

In the previous section we have estimated the time complexity of the attack 
using the ECM, from its asymptotic running time (3) and the observed running 
times for small hash sizes. Consequently, our estimate depends on the practical 
implementations of the hash function and the ECM. However theorem 3 shows 
that there is a lower bound on the number of hash calls necessary to mount 
the attack: asymptotically the number of hash calls must be at least La;[-\/2/2] 
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Table 2. Estimated log 2 complexity (number of operations) of the attack for 
various digest sizes 



digest size 


log 2 complexity (number of operations) 


256 


47 


512 


62 


640 


69 


768 


75 


1024 


86 



so that with non-negligible probability there exist a division-collision (i.e. one 
hash value divides the least common multiple of the others). In this section we 
obtain heuristically a more precise estimate of the minimal number of hash calls 
necessary to have a division-collision with given probability. As in the previous 
section we assume that the hash function behaves as a random oracle, i.e. it 
outputs a random integer for each new query. Consequently the problem is the 
following: given a set S oiv random integers in {1 ... }, what is the probability 

( v) that one integer in S divides the least common multiple of the others ? 



4.1 A Heuristic Model 



The probability ( v) can be derived from a simple heuristic model called 
random bisection. In this model, the relative length of the first prime factor of 
a random number is obtained asymptotically by choosing a random uniformly 
in [0 1], and then proceeding recursively with a random integer of relative size 
1 — . This model is used in [1] to compute a recurrence for ( ) = (1/ ), the 
asymptotic probability that all prime factors of a random are smaller than “. 
In the above formula is Dickman’s rho function defined for real t > 0 by the 
relation [7]: 



if 0 < t < 1 



it) = 






{w - 1) 



(4) 



w if < t < -1-1 for G N 



For an “-smooth integer , the relative length chosen by random bisection is 
smaller than , and the remaining integer of relative size 1 — is also “-smooth. 
Consequently, we obtain equation (5) from which we derive (4). 



( ) 





(5) 



Let ( v) denote the probability that a random integer comprised between 
one and divides the least common multiple of v other random integers in 

{1 ... }. Let = log 2 and V = log 2 u. Let p be a prime factor of of 
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relative size (i.e. p = ^). The probability that p divides a random integer 

in {1 . . . } is roughly 1/p. Consequently, the probability that p divides the 

least common multiple of v random integers in { 1 . . . } is roughly: 

= 1 — (1 )*' ~ 1 — exp(— ) for large p 

p p 

If <V/ , then p < V and we take = 1. Otherwise if > V/ then p > v 
and we take = v/p. Consequently, we obtain: 

if < V 

+/; 

Letting S{ V) = {v°‘ v), we have: 

1 

- fs{ - V) +- fs{ 

JO J1 

We obtain: 

= -1 y)-(i + yiog2)— ( C) (6) 

S{ V) for > 0 is thus defined as the solution with continuous derivative of the 
delay differential equation (6) with initial condition S{ V) = 1 for 0 < <1. 

A division-collision occurs if at least one integer divides the least common 
multiple of the others. We assume those events to be statistically independent. 
Consequently, we obtain: 



5( y) = 



( u)4 if >v 

if < 1 

- if > 1 




( V)) 



( 7 ) 



4.2 Numerical Experiments 

We performed numerical experiments to estimate the number of -bit integers 
required so that a division-collision appears with good probability. We considered 
bit-lengths between = 16 to = 96 in increments of 16, and as in [9] for 
each bit length we performed 200 experiments in which we counted how many 
random integers were chosen until one divides the least common multiple of the 
others. As in [9] , we took the second smallest result of the 200 experiments as an 
estimate of the number of integers required so that a division-collision appears 
with probability 1%. The results are summarized in Table 3. 

The function S{ V) can be computed by numerical integration from (6) 
and S{ V) = 1 for 0 < <1. We used Runge-Kutta method of order 4 to 
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Table 3. Number of random integers required to obtain a division-collision with 
probability 1% as a function of their size (numerical experiments and heuristic 
model) 



integer size 


16 


32 


48 


64 


80 


96 


number of integers (experiments) 


4 


25 


119 


611 


1673 


7823 


logj number of integers (experiments) 


2.0 


4.6 


6.9 


9.3 


10.7 


12.9 


log 2 number of integers (model) 


2.0 


4.7 


7.0 


9.1 


10.9 


12.6 



Table 4. log 2 number of random integers required to obtain a division-collision 
with probability 1% as a function of their size 



integer size in bits 


logj number of integers 


128 


15.6 


256 


25.6 


512 


40.6 


640 


46.8 


768 


52.4 


1024 


63.2 


1280 


72.1 



solve the differential equation (6). We summarize in Table 3 the log 2 number 
of -bit integers required to obtain a division-collision with probability 1% for 
= 16 to = 96, from the heuristic model. We see that the values predicted 
by the model are close to the experimental values. In Table 4 we use the model 
to estimate the number of -bit integers required to obtain a division-collision 
with probability 1% for large values of . As in section 3.3 we see that in order 
to get a security level of a 1024-bits RSA, one should use a hash function of size 
approximately 1024 bits. 

5 Conclusion 

We have analysed the security of the Gennaro-Halevi-Rabin signature scheme of 
Eurocrypt’99. In particular, we exhibited a sub-exponential attack that forces 
to increase the security parameters beyond 512 or 642 bits up to approximately 
1024 bits in order to get a security level equivalent to 1024-bits RSA. Another 
variant of the scheme described in [9] consists in generating prime digests only, 
by performing primality tests on the digests until a prime is obtained. In this 
case, a division-collision is equivalent to a collision in the hash function, but the 
signature scheme becomes less attractive from a computational standpoint. 
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A Proof of Theorem 3 

Proof: Let 5 = { i ... „} with v = Lx[ ] and •\/2/2 be a set of v 

random integers uniformly distributed between one and . Denote by ( v) the 
probability that one integer in S divides the least common multiple of the others 
and by the event in which i divides the least common multiple of { 2 ■■■ «}• 

The proof’s outline is the following: we consider the possible smoothness degrees 
of 1 and compute the probability of for each smoothness degree. Then we 
show that Pr[ ] is smaller than La,)— -\/2/2 -I- e] for e > 0 and conclude that 
( v) is negligible. 
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The possible smoothness degrees of i are denoted: 

• Sm: 1 is La;[-\/2/2]-smooth. This happens with probability 

Pr[Sm] = Lx[-\/2/2] 



and consequently: 



Pr[ ASm] = C>(L^[-v^/2]) ( 8 ) 

• Sm (7 e): i is + e]-smooth without being smooth, for -\/ 2/2 

7 \/2 and e > 0. This happens with probability: 

Pr[Sm (7 e)] = ~ 

In this case, i contains a prime factor greater than Lx [ 7 ] , which appears in the 
factorization of another j with probability 0{Lx[—^\). Consequently 1 divides 
the least common multiple of { 2 ■ ■ ■ «} with probability: 

Pr[ |Sm (7 e)] = - 7 ]) 

With (9) and 7 + 2 (j+e) — ~ ^ 7 > 0, we get: 

Pr[ ASm (7 e)] = 0(T,r[-^ + e]) (10) 

• ^Sm : 1 is not La;[-\/2]-smooth. Consequently 1 contains a factor greater 
than Lx [-\/ 2 ] and thus: 



Pr[ A ^Sm] = 0(La;[ 



-V2]) = 0{Lx[-^]) 



( 11 ) 



Partitioning the segment [-\/2/2 \/2] into segments [7 7 + e] and using equa- 
tions ( 8 ), ( 10 ) and ( 11 ), we get: 



Pr[ ] = 0(Lx[-y^ + e]) 

Since V^/2 we can choose e > 0 such that \f2j2— — e = >0 and obtain: 

( v) = 0{Lx\ - V2/2 + e]) = 0(L,,[- ]) 



which shows that ( v) is negligible. 



□ 
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Abstract. Later this year we shall see the release of the Third Genera- 
tion Partnership Project (3GPP) specifications for WCDMA - the first 
third generation standard for mobile communications. This 3G system 
combines elements of both a radical departure and a timid evolution from 
the 2G system known as GSM. It is radically different from GSM in hav- 
ing a wide-band CDMA system for its air-interface, but it hangs on to the 
CSM/CPRS core switching network with its MAP based signalling sys- 
tem. In this paper we consider the security features in WCDMA, taking 
a critical look at where they depart from those in GSM, where they are 
still very much the same and how they may develop as the core switching 
network is replaced by an IP based infrastructure. 

Three principles underpinned the approach adopted for security in 
WCDMA: build on 2G by retaining security features from GSM that 
have proved to be needed and robust; address the weaknesses in 2G, 
both the real and the perceived ones; introduce new features where new 
3G architectnres and services demand them. In addition there was the 
desire to retain as much compatibility with GSM as possible in recog- 
nition of the fact that many WCDMA networks would be rolled out 
alongside CSM networks, with them sharing a core switching network, 
and with handover of calls between the two. 

The problems with GSM security derive not so much from intrinsic prob- 
lems with the mechanisms (although we will consider the algorithms 
separately) bnt rather from deliberate restrictions on the design. The 
most significant restriction was that GSM only needed to be as secure 
as the fixed networks. This was interpreted to mean that wherever fixed 
network technology was nsed cryptographic featnres were not needed. 
After all, they were not, and still are not, used by fixed carriers to pro- 
tect consumer services. Fixed links in a mobile network were excluded 
from consideration, as was mobile signalling data when transferred over 
fixed networks. Protection against attacks involving impersonating a net- 
work element was not addressed. All this has led to three real security 
concerns for GSM: the use of false base stations to intercept mobile orig- 
inated calls, interception of microwave links between base stations and 
the core network, and the vnlnerability of signalling to interception and 
impersonation. We will consider each of these concerns and explain how 
they have been addressed in WCDMA. 

The GSM algorithms were designed at a time when the political climate 
was very different from what it is today. It was radical to launch a public 
access telecommunications system that automatically provided encryp- 
tion - open evalnation and publication of the algorithm design criteria 
was jnst not an option. But the system was designed so that operators 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 102-103, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 




On the Security of 3GPP Networks 



103 



could use the best authentication algorithms available - so why was one 
used that is so obviously flawed? We look at these problems, and the 
rather different approach taken for the WCDMA algorithms. 

All these considerations have led to the following set of security features 
in the first release of the WCDMA standard. Encryption of user traffic 
and signalling data on the air-interface, with the encryption terminated 
in the network at the RNC (radio network controller). This is further into 
the network than with GSM, where termination is at the base station. 
In addition to encryption, there is an integrity check on the air-interface 
signalling data. Authentication uses the same challenge-response tech- 
nique as in GSM, except that it is enhanced to allow the mobile to verify 
the origin and freshness of the challenge. The basic key management is 
unchanged from GSM. The SIM still features as the security processor in 
the mobile terminal, and it shares an authentication key with its home 
network. This key is used to generate authentication data and encryp- 
tion and integrity keys used to protect traffic in the access network. The 
security protocol is still executed in the local access network, but the 
network signalling is now protected. Thus user authentication data and 
ciphering keys can be encrypted when they are transferred between or 
within networks on signalling links. 

The cryptographic keys for encryption and integrity are longer than those 
used in GSM, and a more open approach has been adopted for the design 
and evaluation of the air-interface algorithm. At the time of writing the 
algorithm has not been published, but it is hoped that it will be available 
on the ETSI web site shortly. As we shall see, the algorithm is very 
different from that used in GSM. 

So for the first release of the WGDMA standards, the so-called release 
99 or R99, the security features are more-or-less an upgraded version of 
those used in GSM. In particular, we still have a set of security features 
for an access network. This was to be expected, since the focus to date of 
3GPP standardisation has been to define WGDMA as a new radio access 
to the GSM/GPRS switching network. The emphasis for ROO is now 
shifting to an IP based core network. We shall see that this is resulting 
in a set of additional security features. 
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Abstract. We show that general one-way trapdoor permutations are 
sufficient to privately retrieve an entry from a database of size n with 
total communication complexity strictly less than n. More specifically, 
we present a protocol in which the user sends 0{K^) bits and the server 
sends n — ^ bits (for any constant c), where K is the security parameter 
of the trapdoor permutations. Thus, for sufficiently large databases (e.g., 
when K = n'‘ for some small e) our construction breaks the information- 
theoretic lower-bound (of at least n bits). This demonstrates the fea- 
sibility of basing single-server private information retrieval on general 
complexity assumptions. 

An important implication of our result is that we can implement a 1-out- 
of-n Oblivious Transfer protocol with communication complexity strictly 
less than n based on any one-way trapdoor permutation. 



1 Introduction 

Private information retrieval (PIR, for short) is a communication protocol be- 
tween a user and a server. In this protocol the user wishes to retrieve an item 
from a database stored in the server without revealing to the server which 
item is being retrieved. For concreteness, the database is viewed as an n-bit 
string X and the entry to be retrieved is the z-th bit of x. This problem was 
introduced by Chor et al. [9] and various aspects of it were further studied in 
[1,8,32,27,11,15,16,28,39,12,2,7,24,30]. A naive solution for hiding which partic- 
ular item is being retrieved (i.e., the index z) is to retrieve the entire database 
X. The communication complexity of this solution is n bits. Solutions that are 
more efficient than the naive one, in a setting where there are identical copies of 
the database stored in several servers, were found by [9] and later in [1,24]. In 
this setting, the user can make queries to different servers and use the answers 
to reconstruct the bit xi. Assuming that the servers do not communicate with 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 104-121, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 




One-Way Trapdoor Permutations Are Sufficient for PIR 



105 



each other, then privacy can be achieved with a cost which is much less than 
n (e.g., when two such servers are available). Moreover, [9] have shown 

that if there is only a single server, then getting information-theoretic privacy 
with communication of less than n bits is impossible, hence motivating the use 
of replication. 

Kushilevitz and Ostrovsky [27] have shown a way to get around this impos- 
sibility results. Namely they show that, assuming the hardness of some number- 
theoretic problem (specifically, the quadratic residuosity problem), it is possible 
to design a private information retrieval protocol with a single server and com- 
munication complexity of O(n^) (for any constant e > 0). ^ Their result strongly 
relies on the algebraic properties of the quadratic residuosity problem. Other 
single-server PIR protocols which are based on specific (number-theoretic and/or 
algebraic) intractability assumptions were subsequently presented in [28,39,7]. In 
particular, Cachin, Micali and Stadler [7] have shown that under the so-called 
(/-hiding (number-theoretic) assumption one can achieve even more efficient poly- 
logarithmic (in n) communication with a single server. (This is almost optimal 
since even without the privacy requirement the communication complexity must 
be at least logn.) All these PIR protocols exploit specific algebraic structures 
related to the specific intractability assumption in use. In this paper, we address 
the question whether PIR protocols can be based on some “general” (preferably, 
the weakest possible) assumption. 

Starting with the work of Yao [40] , the program of identifying the weakest 
possible assumptions to reach various cryptographic tasks was launched. This 
program enjoyed a great success and for most cryptographic primitives we have 
very good grasp of both necessary and sufficient conditions; see, e.g. [21,38,36]. 
What about private information retrieval? On the lower-bound front, in addition 
to the information-theoretic lower-bound [9], recent work has established that 
single-server private information retrieval with less than n communication (even 
n — 1 bits) already implies the existence of one-way functions [2] and, more 
generally, the existence of Oblivious Transfer (OT) protocols [12] (the connection 
between PIR and OT is discussed in more details below). The most general 
assumption based on which it is (currently) known how to construct OT is that 
one-way trapdoor permutations exist [20]. ^ Thus, in a sense, the most general 
assumption one can hope to use for constructing single-server private information 



^ In [8] it is shown, in the setting where there are several servers storing identical 
database x, that intractability assumptions might be of help in constructing efficient 
PIR protocols. 

^ Impagliazzo and Rudich [23] have shown that OT is unlikely to be implemented 
based one one-way functions only (i.e. without trapdoor) since the proof of security 
(using black-box reductions) would yield a proof that P is not equal to NP. Also, 
Impagliazzo and Luby [22] have shown that oblivious transfer protocols already imply 
the existence of one-way functions. (In fact, OT was shown to be complete for any 
two-party computation [25,26].) We also note that there are known constructions for 
OT which are based on concrete assumptions, such as the Diffie-Hellman assumption; 
in this case a trapdoor may not be required. 
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retrieval protocols is the assumption that one-way trapdoor permutations exist 
(or trapdoor functions with polynomial pre-image size; see [3]). 

In this paper, we show that this is indeed feasible. That is, we show, under 
the sole assumption that one-way trapdoor permutations exist (without relying 
on special properties of any specific assumption), that single-server private in- 
formation retrieval with strictly less than n communication is possible (or more 
precisely, of communication n— ^ + 0{K'^), where K n is the security param- 
eter and c is some constant^). We note however that, while the communication 
complexity is below the information-theoretic lower bounds of [9] , it is nowhere 
close to what can be achieved based on specific assumptions. This quantitative 
question remains for future study. 

As we already mentioned, single-server private information retrieval has a 
close connection to the notion of Oblivious Transfer (OT), introduced by Rabin 
[37]. A different variant of Oblivious Transfer, called l-out-of-2 OT, was intro- 
duced in [13] and, more generally, 1-out-of-n OT was considered in [4].^ All these 
notions were shown to be equivalent [5] and complete for all two party computa- 
tions [25]. As mentioned, communication-efficient implementation of 1-out-of-n 
OT can be viewed as a single-server PIR protocol with an additional guarantee 
that only one (out of n) secrets is learned by the user. This notion (in the set- 
ting of several non-communicating servers) was first considered in [16] and called 
Symmetric Private Information Retrieval (or SPIR). Kushilevitz and Ostrovsky 
[27] noted that in a setting of single-server PIR their protocol can be made into 
1-out-of-n OT protocol (i.e., SPIR) with communication complexity 0(n'^) for 
any e > 0 (again, based on a specific algebraic assumption). Naor and Pinkas [30] 
have subsequently shown how to turn any PIR protocol into SPIR protocol with 
one invocation of PIR protocol and logarithmic number of invocations of l-out- 
of-2 (string) OT. Combining our results with the results of [30] and with known 
implementations of OT based on any one-way trapdoor permutation [20] , we get 
1-out-of-n OT (i.e., SPIR) protocol based on any one-way trapdoor permutation 
whose communication complexity is strictly less than n. 



Organization and Techniques: Section 2 includes some definitions that are 
used in this paper. In addition, it describes several tools from the literature that 
are used by our constructions. These include some facts about the Goldreich- 
Levin hard-core predicates [19], some properties of universal one-way hash func- 
tions, introduced by Naor and Yung [31], and properties of interactive hashing 



® Further improvements are possible; see Section 3.2. 

^ Loosely speaking, 1-out-of-n OT is a protocol for 2 players: A sender who initially 
has n secrets ,Xn and a receiver who initially holds an index 1 < i < n. At 

the end of the protocol the receiver knows Xi but has no information about the 
other secrets, while the sender has no information about the index i. Note that OT 
is different from PIR in that there is no communication complexity requirement 
(beyond being polynomially bounded) but, on the other hand, “secrecy” is required 
for both players. 
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protocol, introduced by Ostrovsky, Venkatesan and Yung [33] In Section 3 we 
describe our basic PIR protocols based on one-way trapdoor permutations. This 
protocol is further extended in Section 4 to deal with faulty behavior by the 
server. 



2 Preliminaries 

2.1 Notation 

We use the following notations throughout the paper. The data string is denoted 
by X, its length is denoted by n. The index of the bit that the user wishes to 
retrieve from this string is denoted by i. We use K to denote a security parameter. 

For a finite set A, we denote by a Gfl A the experiment of choosing an 
element of A according to the uniform distribution (and independently of all 
other random choices made). 



2.2 Definitions 



In this section we define the notions of one-way trapdoor permutations and of 
hard-core predicates. The reader is referred to [17] for an extended background 
related to these definitions. 



Definition 1. A collection of functions Q — {Gk) is called a collections of one- 
way trapdoor permutations if the following hold: 



— There exists a probabilistic polynomial-time generating algorithm, I, that on 
input outputs a pair {g,g~^) where g is (an index of) a function in Gk 
and is a string called the “trapdoor for g”. 

— Each function g G Gk is a permutation over {0, 1}^ and is computable in 
polynomial time (that is, there exists an algorithm that given g G G, and 
X G {0, 1}* computes the value of g{x) in time polynomial in \x\). 

— Each g is easy to invert given its trapdoor That is, there exists an 

algorithm that given y G {0, 1}^ and the string g~^ computes the (unique) 
value X such that g{x) = y (i.e. x = g~^{y)) in time polynomial in K. 

— It is hard to invert the functions in G without having the trapdoor. Formally, 
for every probabilistic polynomial-time algorithm B, every integer c, and 
sufficiently large K 



T > r =9 \y)) < 



where “g G denotes choosing a function g according to the probabil- 

ity distribution induced by the generating algorithm I. 

® Interactive hashing has found many applications in cryptography (cf. 
[33,29,14,34,35,18,10,6]) since, in some settings, it can replace collision-resistant 
hash-functions but it can be implemented from general cryptographic assumptions. 
The drawback of this primitive is its high round-complexity (our protocol for 
a malicious server inherits this drawback; the question of how to reduce the 
round-complexity of this protocol is an interesting open problem). 
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Remark: There are definitions of one-way trapdoor permutations that give more 
power to the adversary. For example, the adversary may adaptively ask for many 
inverses of his choosing and only then try to invert the given permutation on 
a randomly chosen point. Another strengthening of the adversary, which is of 
interest in some cases, is requiring that it can recognize if g is “well-formed” . 
The way in which we use the trapdoor permutations in our protocols, none of 
these issues come up and so we stick to the above simpler definition. 

Next, we will need the notion of hard-core predicates. Specifically, we will 
use the Goldreich-Levin hard-core predicates [19]. For a string r G {0, 1}^ let 
us denote r(x) = (r,x), where (•,•) is the standard inner-product modulo 2. 
The Goldreich-Levin Theorem [19] states that if g is a one-way permutation 
then there is no algorithm that can compute r(x) given g(x) and r. Formally, for 
every probabilistic polynomial-time algorithm B, every integer c, and sufficiently 
large K 



Pr {B{g{x),r) = r{x)) < - 

ge/s(l^),a:eR{0,l}K.reR{0,l}K 2 



1 

■ 



Remark: the above definitions concentrate on the case of one-way permutations; 
however, they can be easily generalized to deal with more general notions. In 
particular, the Goldreich-Levin Theorem [19] applies to any one-way function. 



2.3 Some Useful Machinery 

Let Q be some arbitrary family of one-way trapdoor permutations over { 0 , 1}^. 
It is sometimes convenient to view strings in { 0 , 1 }^ as elements of the field 
GF[2*^]. With this view in mind, let 

n = {ha, b ■■ G¥[2^] ^ G¥[2^] I h{x) = ax + h, a,&GGF[2^], a yf O} . 

Given Q and H, Naor and Yung [31] define the following family of functions 

•^= {/ : {0,1}^^ {0.1}^”^ I g G G,h GHJ{x) = chop{h{g{x)))} 

where the chop operator takes a string and chops its last bit. 

For a function f G IF we sometimes denote / = (g, h) to indicate the functions 
g G Q ,h G Ti based on which / is defined. Moreover, if / is the generating 
algorithm for G then we denote by Tf a generating algorithm for F that generates 
by applying I, generates h G H according to the uniform distribution 
and let / = {g, h). 

The following are basic properties of F. 

1. Each function / G IF is 2 — > 1. In other words, for every x G { 0 , 1}^ there is 
a (unique) string, denoted a;*, such that f{x*) = f{x) and x* yf x. 
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2. Every function / = (g, h) in iF is efficiently computable. Moreover, given the 
trapdoor g~^ it is easy to compute, for every y G {0, the two strings 
X, X* such that f{x) = f{x*) = y. ® 

3. Collisions are hard to find for T [31] (i.e., given x and j{x) it is hard to find 
the string x*). Formally, for every x, for every probabilistic polynomial-time 
algorithm B, every integer c, and sufficiently large K 



Pr 



{B{x,f{x)) 



X*) < 



1 

■ 



Note that property 3 does not guarantee that specific bits of x* are hard to 
find. Instead we will make use of hard-core bits. 



We shall use in an essential way an interactive hashing protocol of Ostrovsky, 
Venkatesan and Yung [33] . Interactive hashing found many applications in cryp- 
tography (cf. [33,14,29,34,35,18,10,6]). This is a protocol between two players 
Alice and Bob, where both Alice and Bob are probabilistic polynomial-time ma- 
chines. Alice is given as an input 1^, a function g £ Gk and an input a; G {0, 1}^; 
Bob is given 1^. The interactive hashing protocol proceeds as follows: 

— Bob chooses uniformly at random K — 1 vectors Hi, .. . , Hk-i in {0, 1}^ 
subject to the constraint that these K — 1 vectors are linearly independent 
(viewing them as elements of the linear space Z^). 

— The players interact in A" — 1 rounds where in round i they do the following: 

• Bob sends to Alice Ht 

• Alice sends to Bob {Ht,g{x)) (the inner product of Ht and g{x)). 

The communication in this protocol, consisting of the strings Hi, . . . , Hk-i sent 
by Bob and the bits {Hi,g{x )), . . . , {Hk-i, g{x)), define K —1 linear equations 
and since all the Ht’s are linearly independent these equations admit two so- 
lutions, denoted {y,y*} (we use the same notation as was used above for the 
pre-images of / G IF to stress the analogy between these two tools; this anal- 
ogy will also be used in our protocols). We now state several facts regarding 
interactive hashing that make it useful for our purposes: 

— If Alice follows the protocol then one of {y,y*} is g{x) (recall that x is an 
input to Alice). 

— Bob sends total of 0{K^) bits to Alice. Alice sends total of A" — 1 bits in 
response. 

— It is hard for Alice to find inverses of both y, y* , even if Alice does not follow 
the protocol. Formally, for every probabilistic polynomial-time algorithm A' , 
for every integer c and sufficiently large K, if g is chosen according to 

then after A' executes the protocol with Bob, the probability that A' outputs 
xq, xi such that both g(xo) = y and g(xi) = y* is less than 

® Note that every G is 1 ^ 1 and easy to invert; therefore, given y one can try the 
two options for the chopped bit, invert h and then invert g using the trapdoor. We 
also note that this property was not considered in [31] since they deal with arbitrary 
one-way permutations and not only with trapdoors permutations. 
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Interactive hashing, as described up-to this point, works with any one-way per- 
mutation. In [33] one more property was used, which is needed in the current 
paper as well. Specifically, we will apply interactive hashing with one-way trap- 
door permutations; this modifications gives the following crucial property: 

— Given the trapdoor for g (i.e., the string g~^) and the communication (i.e., 
the strings Hi,... ,Hk-i and the bits {H\, g{x)) , . . . , {Hk-i, g{x))) Bob 
can compute both xq and xi (i.e., the strings such that g(xo) = y and 

g{xi) = y*)- 



2.4 PIR Protocols 

A Private Information Retrieval (PIR) is a protocol for two players: a server 
S who knows an n-bit string x (called the database), and a user U holding 
an index i G [n\ and interested in retrieving the value Xi. When considering 
the privacy requirement of PIR protocols there are several possible types of 
“faulty” behaviors by the server: the server might be honest-but- curious or it 
might be malicious. Below we detail the definition for each of these types; we 
note however that the difference is especially important when dealing with multi- 
round protocols (as those described in this work). 

An honest-but-curious server is a one that behaves according to the pre- 
defined protocol and just tries to deduce information about i from the commu- 
nication it sees. This is formulated as follows: Fix a data string x; for every 
i, i' G [n] (where i yf i') the distribution of communications generated by the 
protocol when the user is interested in bit i is indistinguishable from the distri- 
bution generated when the user is interested in index We stress here that x is 
fixed and the server is not allowed to change it during the protocol’s execution. 

A malicious server is a one that does not necessarily follow the protocol. 
It should be immediately noticed that there are several “bad” behaviors by a 
malicious server which cannot be avoided; e.g., the server may refuse to par- 
ticipate in the protocol or it may change the content of the database (say, it 
can act as if a; = 0”). The privacy requirement in this case makes sure however 
that, no matter what the server does, the identity of the index i is not revealed. 
Formally, for every i, i! G [n] (where i yf i') no probabilistic polynomial-time 
server S' can distinguish executions of the protocol when the user’s index is i 
from executions of the protocol when the user’s index is i' . We stress that here, 
the server is allowed to modify its messages in an arbitrary manner during the 
protocol execution in order to be able to distinguish. 

3 A PIR Protocol with Respect to a Honest-but-Curious 
Server 

In this section we present the honest-but-curious PIR protocol which proves 
that it is possible to construct a PIR protocol from any family of one-way trap- 

^ For lack of space we omit the formal definition of indistinguishability which is a 
standard one [40]. 
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door permutations, with communication complexity smaller than n. (Later we 
describe some simple improvements on this protocol.) 

Theorem 1. If one-way trapdoor permutations exist then there exists honest- 
but-curious single-server PIR protocol whose communication complexity is at 
most 

(More precisely, the user sends 0{K) bits and the server sends at most n — ^ 
bits.) 

(Some slightly better bounds are mentioned in Section 3.2 below). 

Let ^ be a collection of one-way trapdoor permutations, as guaranteed by 
the theorem, and let IF be a family of 2 — > 1 functions constructed based on Q, 
as described in Section 2.3. Assume, without loss of generality, that n is divisible 
by 2K and let £ = njiflK). The protocol works as follows. 

1. The user picks two functions /l = {gL,hL) and = {gR,hn) (including 
the corresponding trapdoors gf^ and gf^) using the generating algorithm 
Ir{1^). It sends the functions /l, fn to the server (without the trapdoors). 

2. Both the server and the user view x as if it is composed of 2£ sub-strings 
zi,L, zi^R, Z 2 ,l, Z 2 ,r, ■ ■ • , Zi^L, zg^R each of size K (we refer to these strings as 
“blocks”). The server now applies /l to each block Zj^l and applies Jr to 
each block Zj^r. It sends all the outcomes 

/l(2i,l) /fl(2l,fl) 

/l(^2,l) /fl(22,fl) 

frizi^L) fR{zi,R) 

to the user. 

3. The user, having the trapdoors for both /l and /a, can compute for each 
block z the two possible pre-images {z, z*}. Assume that the bit Xi is in 
some block Zs^l, for some s. The user picks random rR,rR G {0, 1}^ such 
that the hard-core predicates corresponding to rR,VR satisfy 

rrizs.L) rL{z*L) and rR{zs,R,) = rR{z* jf). 

It sends rR,VR to the server. (If the index Xi is in block Zs^r then rR,rR 
are chosen subject to the constraint vr^Zs^r) yf '^r{zI r) and rR{zs,L) = 
rdzljfj.) 

4. For each ) = !,...,£ the server computes and sends the bit bj = rR{zj^L) © 
rR{zj,R). 

5. By the choice of rR,rR the bit bg allows the user to compute the value of 
Zs,L (or the value of Zs^r depending on the way that rR,rR were chosen).® 
This gives the user the bit Xi (as well as all other bits in the corresponding 
block) . 



The user ignores all the other bits bj, for j 7^ s. 
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Correctness: The correctness follows from the description of the protocol and 
the basic properties of T . The idea is that for the pair of blocks in which the user 
is interested, Zs,l,Zs,r, the hard-core predicates are chosen in a way that they 
are sensitive on the block which the user wishes to retrieve, and are constant on 
the other block. This allows the user to distinguish the target 2 from z* . 

Communication Complexity: The only messages sent by the user are those for 
specifying Jr, Jr, ur, ur; all together 0{K) bits. The server, on the other hand, 
sends for each pair of blocks 2{K — 1) bits in Step 2 and an additional bit in 
Step 4. All together, i ■ {2K ~ 1) = n — ^ bits. Therefore, the communication 
complexity is as claimed by the theorem. 

3.1 Proof of Security 

The only information that the user sends which depends on the index it is 
interested in is the choice of r^, (Step 3). We need to show that these strings 
maintain the privacy of the user’s index. For this we introduce some notation. 
We say that a block Zs,l (resp. Zs,r) is of type “E” (equal) if rL{zs,L) = i"l{z* r) 
(resp., if rR{zs,R,) = rR{z*j^)); similarly, we say that a block Zs,r (resp. Zs,r) is 
of type “N” (not equal) if ur^Zs^r) ^ ?"i( 2 *^) (resp., if ur^Zs^r) ^ ?"fl(<fi))- 
Hence, the choice of rr defines a sequence of i pairs in {E, fV}^ with the only 
restriction being that the pair in which the index i resides must be either (fV, E) 
or (E,N) (depending on whether i is in the left block or the right block). We 
also use * to denote a “don’t-care” . So if, for example, the user wishes to retrieve 
the first block it picks rrjRr subject to the constraint that the corresponding 
sequence is (TV, E), . , (*, *). 

Using the above notation, we will now prove that the server cannot distin- 
guish any pair of indices i, i' the user may wish to retrieve. Obviously, if i,i' are 
in the same block then the user behaves in an identical way in both cases and 
there is no way for the server to distinguish the two cases. The next case is where 
i, i! are in the same pair of blocks; say, i is in Zs^r and i! in Zs^r. For simplicity 
of notations assume s = 1 then in the first case rr , rr are chosen uniformly from 
those that induce the sequence 

(-^) £-))(*)*))■■■ ) (*j *) 

while in the second case rr , rr are chosen from those that induce the sequence 

{E, fV), (*,*),... , (*, *). 

We omit the details for this case since it is a degenerate case of the more general 
scenario where, say, i is in Zs^r and i' in z.s\r. Again, for simplicity of notations 
assume s = 1, s' = 2; then, we have to distinguish the following two sequences: 

(-^j E), (*, *),(*,*),... , (*, *) 

and 

(*, *), (E, N), . , (*, *). 
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(Note that if, for example, the server can tell that for some s the corresponding 
pair is of type, say, {E, E) then it can conclude that none of the blocks Zs,l,Zs,r 
is of interest for the user.) We now show that if the server is able to distinguish 
the above two sequences it can also predict the hard-core predicate associated 
with the family Q. 

The first step uses a hybrid argument to claim that if one can distinguish 
the two distribution of rR,rR as above (given x,/l and fa) then it can also 
distinguish two adjacent distributions among the following list of distributions: 



7 Ti : 


(A^j E), (*, *), (*, *), • 


• ) (*j *) 


E2 : 


(*, E), (*, *), (*, *), . . 


■ ) (*) *) 


JI3: 


(*, *), (*, *),(*,*),... 


) (*) *) 


774: 


(*, *), {E, *), (*, *), . . 


• ) (*) *) 


■■ 


(*, *), ( 7 f, TV), (*, *), . 


..,(*, *) 



(If each pair of adjacent distributions is indistinguishable then so are 7Ti and 
ids, contradicting the assumption that the server can distinguish.) Suppose, for 
example, that one can distinguish II \ and II 2 (other cases are similar or even 
simpler; they might require flipping the roles of /l and Jr). Then, it is also 
possible to distinguish II i and 

772 : (E, E), 

To make the distinguishing property more concrete assume, without loss of gen- 
erality, that for some data string x, 

E''"fL,fReij^{i^),{rL,rR)eni{E{x,fL,fR,rR,rR) — l) < — — e 

and ^ 

P^fLjReiAi^),irR,rR)en;,iD{xjLjR,rL,rR) = 1) > - + e. 

We use this algorithm D to construct an algorithm B that on input g G Ig(l^), 
y Gr {0,1}*- and r Gr {0,1}*- predicts the hard-core predicate r{g~^{y)), 
with probability 0.5 -I- e. This contradicts the Goldreich-Levin Theorem [19] (See 
Section 2.2). Algorithm B works as follows: 

1. Choose at random subject to the constraint 

chop(7,L(y)) = chop( 7 L( 5 (zi,L)))-® 

Let /l = ( 5 , II) and xr = r. (Note that, with respect to /l we have z* r = 
g~^{y)- Also crucial is the fact that since D does not have y (only B does) 
the distribution of Hr looks random to D). 

® Specifically, in the unlikely event that g{zi^L) = y we are done; otherwise, choose 
V G {0, 1}^ at random and let v' be identical to v with the last bit flipped. Then, 
we solve the system of equations a ■ y + b = v and a ■ g(zi^L) + 6 = n' to find a, b 
(i.e., hn). In particular a = (v — v') / {y — g{z\^L)) (note that this is well defined since 
y 7^ g{z\^L) and different than 0 since v 7^ v'). 
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2. Choose a function G (including the corresponding trapdoor!) and 

compute the string z* ^ (by using the trapdoor). Pick a random rn subject 
to the constraint that rn{z* ^) = rji^zi^a). 

3. Invoke D on input {x, /l, fn, tl, tr). If the output is “I” (in which case the 
input is more likely to be from iT^; i.e., ri(2i,L) and tl( 2 * ^) are more likely 
to be not-equal) then B's output is 1 — ri(2i,L)- If the output is “0” (in 
which case the input is more likely to be from iTi; i.e., rL{zi^L) and rL{z{ j^) 
are more likely to be equal) then B's output is ri(zi,L)- (Note that while B 
does not know what z* is, it knows z\^l and hence can apply to it. 

It can be verified that the distribution of inputs provided to D is exactly what 
is needed and hence the correctness of B follows. 



3.2 Some Improvements 

We tried to make the description of the protocol above as simple as possible. 
There are however certain modifications that one can apply to it in order to 
slightly improve the efficiency. One such improvement is instead of using two 
functions /l , fn to use d such functions fi, ■ ■ ■ , fd (where d may depend on K 
and/or n). Then, the user can choose hard-core predicates ri, . . . , such that 
the one corresponding to the index i gets two different values (on the correspond- 
ing z,z*) while each of the other hard-core predicates get the same value (on 
z,z*). Then, when the server returns the exclusive-or of the d bits this allows 
the user to reconstruct the block of interest. 

A second (more significant) modification that one can make is, instead of 
using T as above, where each f G B is obtained by chopping a single bit from 
h{g{x)), we can chop some s bits (specifically, s = O(loglogn)). Now, in Step 2 of 
the protocol the server needs to send only K — s bits per block. In Step 3 the user 
can pick s strings r’s that will allow him to retrieve only the block of interest. 
Finally, in Step 4 (if combined with the previous modification) for each d blocks 
it needs to send back s bits. This gives a complexity of n — 
from the server to the user (for any constant c) and O (it'd log log n) bits from 
the user to the server. 

4 A PIR Protocol with Respect to a Malicious Server 

In this section we deal with the case where the server is malicious. It is instructive 
to consider first the protocol of Section 3 and examine the possibilities of a 
malicious server to violate the privacy of the protocol. Suppose that the server 
after receiving the functions /i, fa from the user (in Step 1) can find a pair of 
strings ai,a 2 G {0, 1}^ such that /i(ai) = /l(q; 2 ) (note that the properties of 
tF guarantee that for every x and a randomly chosen / € IF it is hard to find x*; 
but it does not guarantee that after choosing / one cannot find a pair x, x* with 
respect to this /; this is exactly the weakness that we wish to use). Then, the 
server can replace say zi^l by ai. Now, when getting rL,rn from the user (in 
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Step 3) it can tell whether the first block is of type ”E” or ”N” (since it knows 
both Zi^L and z* which are just a\ and 02)- So, for example, if the block is of 
type ”E” then it follows that i is not in the first block. This violates the privacy 
of i. 

To overcome the above difficulties, we replace the use of the family T by 
the use of interactive hashing. While the two tools have several similarities, 
interactive hashing is the right tool to make sure that the server cannot, for 
example, force both a.\ and to be mapped in the same way. However, there 
is another technical difficulty in generalizing the honest-but-curious case to the 
malicious case. Consider the proof of security in Section 3.1. A crucial point in 
that proof is that we can make (which is fixed) and g~^{y) be mapped to 
the same value. In the malicious case this cannot be done because the server 
need not fix the database and may choose it in some arbitrary way (possibly 
depending on the communication) . Intuitively, this means that the fact that the 
distinguisher can tell blocks of type ”E” (equal) from blocks of type ”N” (not 
equal) does not necessarily help us in predicting the hard-core bit. This will 
require us to come up with some extra new machinery (see the definition of Q 
below) . 

We prove the following theorem: 

Theorem 2. If one-way trapdoor permutations exist then there exists malicious 
single-server PIR protocol whose communication complexity is at most 

(More precisely, the user sends 0 {K^) bits and the server sends at most n— ^ 
bits. Also, if the server is honest then with a negligible probability the protocol 
fails; i.e., the user does not get the bit Xi but its privacy is still maintained.^^ ) 

Let 5 be a collection of one-way trapdoor permutations, as guaranteed by 
the theorem. As a first step we construct, based on Q, a new family of one-way 
trapdoor permutations Q which is defined as follows. Each function g G Gk is 
defined using 4 functions 50O7 5017 5i0j 5ii G Gk-2- Let a; be a string in {0, 1}^ 
and write x = b\b2W, where 61, 62 € {0, 1} and w G {0, 1}^“^. We define 

g{x) = bib2gbib2{w)- 

Clearly each such g is a permutation over {0, 1}^. The trapdoor g~^ correspond- 
ing to g consists of the corresponding 4 trapdoors; i.e., (5^7 5oi^7 5ro^7 5n^)- The 
generating algorithm for G, denoted Ig{l^) simply works by applying Ig{l^~'^) 
four times for generating 3007 5017 51O7 5ii (with their trapdoors). 

As before assume, without loss of generality, that n is divisible by 2 K and 
let £ = nf{ 2 K). The protocol works as follows. 



10 



As pointed out in Section 2.4, a “bad” server can always refuse to let the user retrieve 
the bit; hence, this is not considered a violation of the correctness requirement. 
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1. The user picks two functions gL and gn (including the corresponding trap- 
doors and using the generating algorithm It sends the 

functions gh,gR to the server (without the trapdoors). 

2. As before the server and the user view the string x as if it is composed of 2^ 
“blocks” zpL, Z2,l, Z2,r, ■ ■ ■ , zt,L, zi^R each of size K. 

Now the server and the user play 2i interactive hashing protocols as follows. 
First, the user chooses K—1 linearly independent vectors in {0, 1}*^ denoted 
(i?f , . . . , Now, for each t from 1 to A" — 1 (in rounds) do: 

— The user sends to the server Hi". 

— The server sends to the user the bits (i?/', 5 ^( 21 , l))), ■ ■ • , {Hi", gL{zi,L)))- 
The same is repeated for the “right” blocks. That is, the user chooses another 
set of A" — 1 linearly independent vectors iJf*, . . . , and (in rounds) get 

from the server the values {H^ ,gn{zi^R))) , , {Hi" , gn{zi,R))) . 

3. The user, having the trapdoors for both c/r and cjR, can compute for each 
block 2 the two possible pre-images {z,z*}. We call a block bad if the first 
two bits of z,z* are equal; otherwise it is called good. If more than 1/3 of 
the blocks are bad then the protocol halts (it is important to note that 
the functions in Q do not change the first two bits; therefore both players, 
including the server who does not have the trapdoor, can tell which block is 
bad and which is not). We call a pair of blocks Zj^RjZj^r good if both blocks 
are good; otherwise the pair is bad. 

4. Dealing with bad pairs of blocks: 

The user chooses two more vectors (independent of H ^ , . . . , Hl^_^) and 
H^ (independent of H(^, . . . ,H^_l). It sends these vectors to the server. 
In return, for each bad pair Zj^RjZj^r, the server sends {H^^, gR{zj^L))) and 
{H^,gR{zj^R))). In this case both Zj^L,Zj^R become known to the user. 

5. Dealing with good pairs of blocks: 

Assume that the bit Xi is in some block Zs,l, for some good pair Zs.l,zs,r 
(if z is in a pair where at least one of the blocks is bad then in fact the 
user already knows the block from the previous step and can continue in an 
arbitrary manner). The user picks random rR,rR G {0,1}^ such that 

rL{Zs,L) rLiz^R) and rR{zs,R,) = rR{zlR). 

(If the index Xi is in block Zs.r then trjTr are chosen subject to the con- 
straint tr^Zs^r) yf rR{z*ji) and tr^Zs^l) = rR{z*j^).) 

(a) The user sends VR,rR to the server. 

(b) For every good pair Zj^R,ZpR the server computes and sends the bit 

b3 = 'rR{zpR)®rR{zj^R). 

(c) By the choice of trjTr the bit bg allows the user to compute the value 
of Zs,R (or the value of Zs^r depending on the way that rR,rR were 
chosen). This gives the user the bit Xi (as well as all other bits in the 
corresponding block). 



Remark: Improvements similar to those described in Section 3.2 are possible in 
this case as well; details are omitted for lack of space. 
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Correctness: The correctness is similar to the correctness of the protocol in 
Section 3; one difference, which is not crucial for the correctness argument, is the 
use of the interactive hashing (i.e., . . . , and . . . , H^_^) instead 

of “standard hashing” (i.e., apply the functions e Ti. and chop the last 

bit). The second difference, is the treatment of bad pairs; however, from the 
point of view of correctness this is an easy case since both blocks of each such 
pair become known to the user. The only significant difference is the fact that 
the protocol may halt without the user retrieving xi (Step 3). However, the 
properties of interactive hashing guarantee that if the server plays honestly, 
then the probability of each block being bad (i.e., both pre-images start with 
the same 2 bits) is 1 /4; hence. By Chernoff bound, the probability in the case 
of honest server that at least 1 /3 of the blocks are bad is exponentially small in 
the number of blocks (i.e., 2£ = n/K). (Note that if the server is dishonest in a 
way that makes more than 1/3 of the blocks bad then the protocol is aborted.) 

Communication Complexity: The only messages sent by the user are those for 
specifying the vectors , . . . , and . . . , as well as gL,9R, tl, tr; all 
together 0{K^) bits. The server, on the other hand, sends for each pair of blocks 
2{K — 1) bits in the interactive hashing protocol (Step 2). If the protocol halts 
in Step 3 (either because the server is dishonest or just because of “bad luck”) 
then there is no more communication. Otherwise, for each bad pair the server 
sends two more bits (and at most 2/3 of the pairs are bad) and for each good 
pair it sends only one additional bit (and at least 1/3 of the pairs are good). All 
together, at most n — ^ bits. Therefore, the communication complexity is as 
claimed by the theorem. 



4.1 Proof of Security (Sketch) 

Here we provide the high level ideas for the proof of security in the malicious 
case. Suppose that the malicious server can distinguish two indices i and i' . The 
first (simple-yet-important) observation is that if the index that the user wishes 
the retrieve happens to be (in a certain execution) in a bad pair of blocks then 
all the messages sent by the user during this execution are independent of the 
index. This allows us to concentrate on the good pairs only. 

Using the same notation as in the honest-but-curious case (Section 3.1), and 
repeating a similar hybrid argument we conclude that (in a typical case) there is 
a distinguisher that can tell pairs , xr which are drawn from the distribution 

III : {N, E) , {*, -k) , {-k, -k) , . . . , {k, k) 

and pairs which are drawn from the distribution 

772 : (E, E), (k,k), (k,k), . . . , (k,k). 

This again is turned into a predictor for the Goldreich-Levin hard-core predi- 
cate. Specifically, let D be the distinguisher between 7Ti and TT^. Our prediction 
algorithm B on input g G Gfl {0,1}^ ^ construct an input for D 




118 Eyal Kushilevitz and Rafail Ostrovsky 



as follows: As before it chooses gn. € including its trapdoor (the cor- 

responding rji is chosen at random, based on the transcript of the interactive 
hashing, subject to the constraint that rn{z* j^) = rn{zi^}i)). Next, B chooses 
3 functions g' ,g" ,g"' G and uses them together with g (in a random 

order) to define a function g & Q (note that g is distributed as if it was chosen 
directly from Ig{l^)). Suppose that g is gb^b -2 with respect to g. Next B makes 
sure that in the interactive hashing protocol corresponding to block Z\^l one 
of the two pre-images will be bib 2 g~^{w) (the properties of interactive hashing 
guarantee that this is possible; this is done by standard “rewinding” techniques, 
see [33,29]). Now, there are two cases: either the first block is bad (in which case, 
as explained above, it cannot be of help for the distinguisher D) or the block 
is good. If the block is good then this means that one of the two pre-images is 
b\b 2 g~^ {w) and the other is for some function gb'-fi'^ different than 

g (by the definition of the block being good) . Since for each function other than 
g, the algorithm B knows the trapdoor then obtaining from D the information 
whether the block is of type ”E” or type ”N” suffices for computing r L{g~^ {w)) 
as required. 

5 Concluding Remarks 

In this paper we show how based on one-way trapdoor permutations, one can 
get single-server PIR protocols with communication complexity smaller than n, 
hence overcoming impossibility results that show that no such protocols exist 
under certain weaker assumptions [9,2,12]. A major open problem is to lower 
the communication complexity so that it will be comparable to what can be 
achieved based on specific assumptions [27,7]. 

Another interesting observation is that combining our results with results of 
Naor and Pinkas [30], one can obtain a single-server SPIR protocol [16,27] (i.e., 
a 1-out-of-n OT with “small” communication complexity) based on any one-way 
trapdoor permutations whose communication complexity is strictly smaller than 
n. In contrast, all previous communication-efficient SPIR protocols required spe- 
cific algebraic assumptions [27,39,7,30]. Specifically, [30] show how to implement 
SPIR based on a single invocation of PIR and an additional logn invocations 
of l-out-of-2 OT on AT-bit strings (their construction uses pseudo-random func- 
tions, however those can be implemented from any one-way function [21]). Since 
implementing l-out-of-2 OT based on one-way trapdoor permutations can be 
done with communication complexity which is polynomial in K [20], the to- 
tal communication complexity of our SPIR protocol is still smaller than n (for 
sufficiently small K) and we need only the assumption of a one-way trapdoor 
permutation. This result can also be easily extended to 1-out-of-n string Oblivi- 
ous Transfer with total communication less than the total size of all the secrets. 
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Abstract. A Single-Database Private Information Retrieval (PIR) is a 
protocol that allows a user to privately retrieve from a database an entry 
with as small as possible communication complexity. We call a PIR pro- 
tocol non-trivial if its total communication is strictly less than the size 
of the database. Non-trivial PIR is an important cryptographic prim- 
itive with many applications. Thus, understanding which assumptions 
are necessary for implementing such a primitive is an important task, 
although (so far) not a well-understood one. In this paper we show that 
any non-trivial PIR implies Oblivious Transfer, a far better understood 
primitive. Our result not only signihcantly clarifies our understanding of 
any non-trivial PIR protocol, but also yields the following consequences: 

— Any non-trivial PIR is complete for all two-party and multi-party 
secure computations. 

— There exists a communication-efficient reduction from any PIR pro- 
tocol to a 1-out-of-n Oblivious Transfer protocol (also called SPIR). 

— There is strong evidence that the assumption of the existence of a 
one-way function is necessary but not sufficient for any non-trivial 
PIR protocol. 



1 Introduction 

Relationships between Cryptographic Primitives. One of the central 
questions in cryptography is to study which assumptions (if any) are necessary 
to implement a cryptographic protocol or task. For most primitives this an- 
swer is well understood, and falls in two categories: either one-way functions 
are necessary and sufficient, or stronger assumptions are necessary (i.e., one- 
way functions with some additional properties like trapdoor may be required). 
For example, pseudo-random generators [20], signature schemes [32,36], com- 
mitment schemes [20,30] and zero-knowledge proofs for NP [20,30,18,34] are all 
equivalent to the existence of a one-way function. On the other hand there is 
a class of primitives that probably needs additional assumptions, including, for 
example, public-key cryptosystems, key-exchange, oblivious transfer [22], non- 
interactive zero-knowledge proofs of knowledge for NP [11] and any non-trivial 
secure two-party [4] and multi-party function evaluation [25]. Single Database 
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Private Information Retrieval has received a lot of attention in the literature, 
however its place in the above setting was not understood. In this paper we 
address (and resolve) its position. 

Private Information Retrieval. A Private Information Retrieval (PIR) 
scheme allows a user to retrieve information from a database while maintaining 
the query private from the database managers. More formally, the database is 
modeled as an n-bit string x out of which the user retrieves the z-th bit xi, 
while giving the database no information about the index z. The communica- 
tion complexity of such a scheme is denoted by c(zz). A trivial PIR scheme 
consists of sending the entire data string to the user (i.e. c(zz) =n), thus satis- 
fying the PIR privacy requirement in the information-theoretic sense. We call 
any PIR protocol with c{n) < n non-trivial. The problem of constructing non- 
trivial PIR was originally introduced by Chor et al. [8] and further studied in 
[8,1,7,33,27,29,3,12,16,15,6,23,28]. In [8] this problem was studied in the setting 
of multiple non-communicating copies of the database (further improvements 
were given in [1,23]). That is, [8] show that if there are at least two or more 
copies of the database, then non-trivial PIR (for example, with two copies of the 
database, with communication complexity c(zz) = 0(zz^/^)) is indeed possible. In 
the original work [8] also show that it is information-theoretically impossible to 
achieve a non-trivial PIR with a single copy of the database. Kushilevitz and 
Ostrovsky [27] have shown a way to get around this impossibility result using 
computational assumptions^. In particular, [27] show that assuming that the 
quadratic residuosity (number-theoretic) problem is hard, they can get Single- 
Database PIR protocol with c(zz) < zz*^ for any e > 0. Further constructions of 
single-database PIR schemes, improving either the communication or the as- 
sumption, followed [29,37,6,28]. In particular, Cachin et al. [6] construct PIR 
with polylogarithmic communication complexity, under the so-called <?-hiding 
(number-theoretic) assumption. This is essentially optimal communication com- 
plexity since the security parameter needs to be at least poly-logarithmic in n. 
Recently, [28] have shown a single database PIR based on any one-way trap- 
door permutation, though their communication, while less then n, is bigger than 
schemes based on specific number-theoretic assumptions [27,29,37,6]. On the 
other hand, [3] have shown that any non-trivial single database PIR implies the 
existence of a one-way function. 

Oblivious Transfer. The Oblivious Transfer (OT) protocol was introduced 
by Rabin [35], one-out-of-two Oblivious Transfer, denoted (^)-OT , was intro- 
duced in [13], and one-out-of-n Oblivious Transfer, denoted (”)-OT , was intro- 
duced in [2] . All these OT variants were shown to be equivalent to one another 
[10,2]. In this paper, we will mainly use the last two versions. Roughly speaking, 
(^)-OT is a protocol between two players, a sender Alice and a receiver Bob. 
Alice has two bits, and Bob wishes to get one of them such that (a) Alice does 

^ Also, [7,33] consider the use of computational assumptions in the settings of multiple 
non-communicating databases. 
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not know which bit Bob got; and (b) Bob does not learn any information about 
the bit that he did not get. When generalized to (”)-OT we can see that the 
formulation of this primitive is “close” to single-database PIR, in that they both 
share requirement (a). However, non-trivial PIR has an additional requirement 
regarding the communication complexity (to be less than the number of bits) 
and does not require condition (b) - which is essential for the definition of Obliv- 
ious Transfer. The (”)-OT protocol that combines both requirements (a), (b) 
and the small communication requirement was considered in [16], who call it 
Symmetric-PIR. 

In [24] , it was shown that OT is complete, namely it can be used to construct 
any other protocol problem. [21] have shown that OT implies the existence of 
one-way functions. Moreover, [22] have shown that assuming OT is probably 
stronger than assuming existence of one-way functions (OWF) in the following 
sense. They show that it is impossible to construct a black-box reduction from 
OT to OWF (where the OT protocol uses the promised OWF as a black box, 
and the proof is black-box) . Furthermore, proving any such black-box construc- 
tion (even if the proof itself is not black-box), is as hard as separating V from 
NV. Thus [22] gives a strong evidence that OWF are currently not sufficient to 
construct OT, namely that OT is a strictly stronger assumption. 



Our Results 

In this paper, we present a reduction transforming any nontrivial single-database 
PIR into Oblivious Transfer. The significance of this reduction is threefold: (1) 
it provides “negative” results, asserting that PIR cannot be constructed based 
on weak computational assumptions; (2) It provides a general “positive” result, 
namely that PIR is also a complete primitive, and any non-trivial implementation 
of Single-Database PIR may be used to construct any other secure protocol; 
and (3) it provides a specific “positive” result, allowing transformation from 
communication efficient single-database PIR to communication-efficient (”)-OT 
(also called Symmetric-PIR [16]). We elaborate below. 

Complexity of PIR. As mentioned above, the original paper of Chor et al. [8] 
shows that it is information-theoretically impossible to implement a non-trivial 
Single-Database PIR. That is, if the user needs information-theoretic privacy, the 
communication cannot be less than n. Thus, some computational assumption is 
necessary. Naturally, this leads to the following question. 

Under which computational assumptions can non-trivial Single- Database 
PIR be achieved? 

While this question has received a lot of attention recently [27,29,37,6,3,28], only 
limited progress has been achieved thus far towards a solution. In particular, as 
described above, there has been a large gap between the assumptions known to 
be sujflcient, and those known to be necessary. On one hand, the only assumption 
previously known to be necessary for non-trivial PIR is the existence of one-way 
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functions [3] ; on the other hand, the weakest assumptions known to be sufficient 
are trapdoor permutations [28] . In this paper we make an important step towards 
closing this gap, by showing the following 

Main Theorem (Informal Statement) If there exists any non-trivial 
Single- Database PIR then there exists an OT. 

That is, even saving one bit compared to the (information-theoretic) trivial pro- 
tocol of sending the entire database, already requires OT. It is interesting to note 
that we can also reduce any code for non-trivial single-database PIR to a code 
for OT; this is similar to code-to-code reductions in [4]. Moreover, our theorem 
holds even if the communication sent by the user in the given PIR scheme is 
unbounded, as long as the database sends less than n bits. 

OT protocol implies the existence of a one-way function [21]. Single database 
PIR also implies the existence of a one-way function [3], but in light of [22] our 
result is strictly stronger and implies the following: 

Corollary (Informal Statement) One-way functions are necessary 
but probably not sufficient to construct non-trivial Single-Database PIR. 

Completeness of Any Non-trivial Single- Database PIR. The following 
corollary, demonstrating the importance of the PIR primitive, follows from the 
result of the completeness of OT [24] : 

Corollary (Informal Statement) Any non-trivial Single- Database 
PIR is complete for all two-party and multi-party secure computation. 

That is, an implementation of the PIR primitives allows a secure computation 
of any function. 

Symmetric-PIR (Or Communication-efficient (")-0T ). In the standard 
formulation of PIR, there is no concern about how many bits of the database the 
user learns. If one makes an additional requirement that the user must learn only 
one bit (or secret) of the database, then this can be viewed as communication- 
efficient (”)-0T (called Symmetrically Private Information Retrieval (SPIR)). 
SPIR schemes were first introduced in [16] in the setting of multiple databases. 
In [27] SPIR were shown to exist in the setting of a single database. The single- 
database SPIR schemes of [27,16,37] were based on specific algebraic assump- 
tions. Naor and Pinkas [31] have shown a general reduction transforming any 
single database PIR into single-database SPIR using one call to the underlying 
PIR protocol, a logarithmic number of calls to one-out-of-two (string) Oblivious 
Transfer, and the existence of pseudo-random generators. Combining our main 
result with that of [31] we get: 

Theorem (Informal Statement) If there exists any non-trivial Single- 
Database PIR scheme with communication c{n) and security parame- 
ter k, then there exists (^)-OT (i.e., SPIR) with communication c{n) ■ 
poly(fc). 
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We stress that the efficient communication complexity of the SPIR scheme we 
construct is the main point of the last theorem. Indeed, in the context of com- 
putational assumptions, SPIR is equivalent to the (”)-OT variant of Oblivious 
Transfer. However, this theorem provides a stronger result, since the communi- 
cation complexity obtained (which is the main parameter in the SPIR context) 
is efficient, costing only a factor depending on the security parameter (not on n) 
over the underlying PIR. In particular, when given PIR scheme with a sublinear 
communication, the resulting SPIR scheme also has sublinear communication. 

Proof Outline. The variant of OT that we use here is the (^)-OT . We 
prove our results using the following three steps: (1) communication-efficient 
PIR implies (^)-OT for honest parties; (2) communication-efficient PIR implies 
(^)-OT (for possibly dishonest parties); (3) communication-efficient PIR implies 
communication-efficient SPIR. 

2 Preliminaries and Definitions 

In this section we give some general conventions that we will use in the paper 
and the formal definitions for PIR, SPIR, and OT. 

General Conventions. Let IM be the set of natural numbers and define 
[k] = {1, . . . , k}. If S' is a set, the notation x ^ S denotes the random process of 
selecting element x from set S with uniform probability distribution over S and 
independently from all other random choices. If A is an algorithm, the notation 
y <— A(x) denotes the random process of obtaining y when running algorithm A 
on input x, where the probability space is given by uniformly and independently 
choosing the random coins (if any) of algorithm A. By Prob[i?i; . . . ; : E] 

we denote the probability of event E, after the execution of random processes 
Ri, . . . ,Rn- We denote a distribution D as {Ri; . . . ; Rm ■ w}, where v denotes 
the values that D can assume, and , . . . , Rm is a sequence of random pro- 
cesses generating value v. By algorithm we refer to a (probabilistic) Turing ma- 
chine. An interactive Turing machine is a probabilistic Turing machine with 
a communication tape. A pair (A, B) of interactive Turing machines running 
in probabilistic polynomial time is an interactive protocol. A transcript of an 
execution of an interactive protocol is the sequence of messages that appear 
on the communication tapes of the two machines forming the protocol dur- 
ing that execution. The notation tA,B{x,rA,y,fB) denotes the transcript of an 
execution of an interactive protocol {A, B) with inputs x for A and y for B 
and with random strings va for A and vb for B. li t = tA,B{x,rA,y,fB) is 
such a transcript, the output of A (resp. B) on this execution is denoted by 
A{x,rA,t) (resp. B{y,rB,t))- The notation {vB,t) ^ tA,B{x,rA,y,‘) denotes 
the random process of selecting a random string vb uniformly at random (and 
independently of all other choices), and setting t = tA,B{x,rA,y,XB). Similarly 
we denote {va, t) ^ tA,B{x, •, y, vb) for the case where A’s random string is cho- 
sen uniformly at random, and (ta, vb, t) ^ tA,B{x, •, y, •) for the case where the 
random strings for both A and B are chosen uniformly at random. 
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Private Information Retrieval. Informally, a private information retrieval 
(PIR) scheme is an interactive protocol between two parties, a database T> and 
a user U. The database holds a data string x e {0, 1}”, and the user holds 
an index z G [n]. In its one-round version, the protocol consists of (a) a query 
sent from the user to the database (generated by an efficient randomized query 
algorithm, taking as an input the index z and a random string ru)] (b) an answer 
sent by the database (generated by an efficient deterministic (without loss of 
generality) answer algorithm, taking as an input the query sent by the user and 
the database x); and (c) an efficient reconstruction function applied by the user 
(taking as an input the index z, the random string ru, and the answer sent by 
the database). At the end of the execution of the protocol, the following two 
properties must hold: (1) after applying the reconstruction function, the user 
obtains the z-th data bit xf, and (2) the distributions on the query sent to the 
database are computationally indistinguishable for any two indices z, i'. (That 
is, a computationally bounded database does not receive any information about 
the index of the user) . We now give a formal definition of a PIR scheme. 

Definition 1. ( Private Information Retrieval Scheme. ) Let {'D,U) be an in- 
teractive protocol, and let 7^ be a polynomial time algorithm^. We say that 
{V,U,TZ) is a private information retrieval (PIR) scheme if: 

1. (Correctness.) For each zz G IN, each z G {1, . . . , rz}, each x G {0, 1}”, where 
a: = o • • • o Xn, and xi G {0, 1} for I = I, . . . , rz, and for all constants c, 
and all sufficiently large k, 

Prob[(r ,r ,t) ^ t , ( (1^, az), •, (1^, rz, z), •): 77.(1^, rz, z, r ,t) = Xi] > 1 — k~‘" . 

2. (User Privacy.) For each rz G IN, each i,j G {1, ■ ■ ■ ,rz}, each x G {0, 1}”, 
where a; = a;i o • • • o a;„, and xi G {0, 1} for ^ = I, . . . , rz, for each polynomial 
time T>' , for all constants c, and all sufficiently large k, it holds that |_Pi— _Pj| < 

where 

Pi = Proh[ (rv>,ru,t) ^ tv,u((^’",x),-, (l'",R,i),-) : T>' (l’' , x , w C) = 1] 

Pj = Proh[ (rv',ru,t) ^ tv,u((^’",x),-, (l'", rz, j), •) : V (l^ ,x,r-v',t) = !]■ 

We say that (V.U.IZ) is an honest-database PIR scheme if it is a PIR scheme 
in which the user-privacy requirement is relaxed to hold only for T>' that follow 
the protocol execution as T>. 

For sake of generality, the above definition does not pose any restriction 
on the number of rounds of protocol (I?, 77); however, we remark that the most 
studied case in the literature is that of one-round protocols (as discussed above). 



^ For clarity, we chose to include the reconstruction function TZ as an explicit part 
of the PIR definition. We note however that replacing 77. by Z7 in the correctness 
requirement yields an equivalent definition (where the reconstruction function is an 
implicit part of U, who executes it to produce an output). 
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Symmetrically Private Information Retrieval. Informally, a symmet- 
rically private information retrieval (SPIR) scheme is a PIR scheme satisfying 
an additional privacy property: data privacy. Namely, for each execution, there 
exists an index z, such that the distributions on the user’s view are computa- 
tionally indistinguishable for any two databases x, y such that Xi = yi. (That is, 
a computationally bounded user does not receive information about more than 
a single bit of the data). We now give a formal definition of a SPIR scheme. 

Definition 2. (Symmetrically Private Information Retrieval Scheme) 

Let {T>,U, 7Z) be a PIR scheme. We say that {T>,U, TZ) is a symmetrically private 
information retrieval (SPIR) scheme if in addition it holds that 

3. {Data Privacy.) For each n G IN, for each polynomial time U', each i' G 
{!,... , n}, and each random string rw, there exists an z G {1, . . . , n}, such 
that for each x,y G {0, 1}” where x = x\ o ■ ■ ■ o Xn and y = yi o ■ ■ ■ o 
xij yi G {0, 1} for ^ = 1, . . . , rz, and such that Xi = yi, for all constants c and 
all sufficiently large k, it holds that \px — Py\ < k~‘^, where 

Px = Prob[(rx),t) ^ tv ,u> {{^’" , x) , •, {l^,n,i'),ru>) : W {l^ ,n,i' ,rw ,t) = 1] 
Py = Prob[(rx),t) ^ tv ,w , v) G , ,n,i'),rw) : W {l^ ,n,i' ,rw ,t) = 1]. 

Oblivious Transfer. Informally, a (^)-Oblivious Transfer ((^)-OT) is an in- 
teractive protocol between Alice, holding two bits bo,bi, and Bob, holding a 
selection bit c. At the end of the protocol. Bob should obtain the bit be, but no 
information about 6g, whereas Alice should obtain no information about c. (By 
“obtaining no information” we mean that the two possible views are indistin- 
guishable.) The extension to (”)-OT is immediate. A formal definition follows. 

Definition 3. ((^) -Oblivious Transfer) 

Let (Alice, Bob) be an interactive protocol. We say that (Alice, Bob) is a (^)- 
Oblivious Transfer ((J)-OT ) protocol with security parameter k if it holds that: 

1. (Correctness). For all bo,bi,c G {0,1}, all constants d, and all sufficiently 
large k, 

Prob[(rA,rs,t) ^ tAlice,Bob((l*'> ^i). (l*',c),-) : Bob(l*’, c, rs, t) = 6c] 

> 1 - k~‘^. 

2. (Privacy against Alice). For all probabilistic polynomial time Alice^, all 
bo,b\ G {0,1}, all constants d, and all sufficiently large k, 

Prob [ c ^ {0, 1}; {va', vb, t) ^ iAlice',Bob((^^’ ’’ ’) ' 

Alice'(l^, 6o, bi,VA>,t) = c] <1/2-1- k~'^. 

3. (Privacy against Bob). For all probabilistic polynomial time Bob/ all c' G 
{0, 1}, and all random strings rg/, there exists c G {0, 1} such that for all 
constants d, and all sufficiently large k, 

Prob [ {bo,bi) ^ {0, 1}/ {vA,t) ^ ^Alice,Bob'((^^’ ’’ (l^>c'),rs/) : 
Bob'(l^c^rB') = fee] <l/2-bfc-‘^. 
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We say that (Alice, Bob) is an honest- Bob-Q)-OT protocol if it is a (^)-OT 
protocol in which privacy against Bob is relaxed to hold only when Bob is honest 
(but curious). That is, condition (3) in Definition 3 is relaxed to 

3’. (Privacy against honest-hut-curious-Boh) . For all probabilistic polynomial 
time CuriousB, for all constants d, and all sufficiently large k, 

Prob [ (6o, bi) ^ {0, 1}^; (r^, re, t) ^ ^Alice,Bob((l^’ ^i), (l'", c), •) : 

CuriousB(l^, c, tb, t) = be] < 1/2 + k~‘^. 

We say that (Alice, Bob) is an honest-parties-Q) -OT protocol if it is a (^)-OT 
protocol where privacy requirements are relaxed to hold only when both Alice 
and Bob are honest-but-curious; that is, (Alice, Bob) should satisfy correctness, 
privacy against honest-but-curious Bob (as defined above), and privacy against 
honest-but-curious Alice (which is similarly defined). 

We remark that the definitions of (j^)-OT and its honest-but-curious versions are 
extended in the obvious way to the case of (/)-OT, for any n > 3. 



Communication Complexity. Let {T>^U^TZ) be a PIR scheme. We define 
the communication complexity of {'D,U,TZ) as the maximal length c(n) of a 
transcript returned by a possible execution of {T>,U,TZ) where n is the size of 
I?’s input (i.e. the length of the database). We define the database communication 
complexity as the maximal length c-p {n) of the communication sent by T> in any 
execution of {'D,U,TZ), and similarly the user communication complexity cu{n). 
That is, c{n) = cv{n) cu{n) . The communication complexity of a SPIR scheme 
and of an (/)-OT scheme are similarly defined. 

SPIR vs. (/)-OT. It can be easily verified that (/)-OT is equivalent to SPIR 
with a database of length n. The reason we need two concepts (and the reason 
we formulated the definitions in two different, though equivalent, ways), is the 
different motivations for using these primitives (and the way they were histori- 
cally defined). In particular, we note that when constructing a SPIR protocol, 
the communication complexity is a crucial parameter. 



3 PIR Implies Honest-Bob- (^)-OT 

In this section we construct an honest-Bob-(^)-OT protocol from any PIR scheme 
with database communication complexity cp(fc) < k (and arbitrary user com- 
munication complexity cu{k)), for database of length k.^ 

® In this section and the next we denote the database length by k, since the way 
it will be used will be for a database whose length depends (polynomially) on the 
security parameter. This is to avoid confusion with the length of the actual database 
n in the last section, where we construct SPIR using this (j)-OT . 
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The Protocol Description. Let V = {V.U.TZ) be a PIR scheme with 
database communication CT>{k) < k. Our (^)-OT protocol consists of simultane- 
ously invoking polynomially many^ independent executions of V with a random 
data string for T> (ran by Alice) and random indices for U (ran by Bob). In 
addition, Bob sends to Alice two sequences of indices (one consists of the in- 
dices retrieved in the PIR invocations, and one a sequence of random indices), 
and in response Alice sends to Bob her two secret bits appropriately masked, 
so that Bob can reconstruct only one of them. A formal description of protocol 
(Alice, Bob) is in Figure 1. We note that some related techniques to those in our 
construction have appeared in [5]; however, we remark that the protocol of [5] 
cannot be used in our case, mainly because of the differences in the models. We 
next prove that (Alice, Bob) is a honest-Bob-(^)-OT protocol. 

Correctness. In order to prove the correctness of (Alice, Bob), we need to 
show that Bob outputs be with probability at least 1 — First, notice that 

if Bob is able to correctly reconstruct all bits x^{P) for j = 1, . . . , m, after the 
m executions of the PIR protocol in step 1, then he is able to compute the 
right value for be in step 5. Next, from the correctness of V = {V,U,TZ), Bob, 
who is playing as U, is able to reconstruct all bits x^{V) with probability at 
least (1 — fc-‘^(i))™ since the m executions of {'D,hl) are all independent. This 
probability is then at least 1 — since m is polynomial in k. 

Privacy against Alice. In order to prove that (Alice, Bob) satisfies the prop- 
erty of privacy against Alice, we need to show that for any probabilistic polyno- 
mial time algorithm Alice^ the probability that Alice^ at the end of the protocol, 
is able to compute the bit c input to Bob is at most 1/2-1- (where proba- 

bility is taken over the uniform distribution of c and the random strings of Alice^ 
and Bob). Informally, this follows from the user’s privacy in the PIR subprotocol 
V, which guarantees that in each invocation Alice gets no information about the 
index used by Bob, and thus cannot tell between the sequence of real indices 
used, and the sequence of random indices (since both these sequences are dis- 
tributed uniformly) . A more formal argument follows. Assume for the sake of 
contradiction that the property is not true; namely, there exists a probabilistic 
polynomial time algorithm Alice/ which, after running protocol (Alice/ Bob), 
is able to compute c with probability at least 1/2-1- k~^ , for some constant d 
and infinitely many k. In step 3, Bob sends two m-tuples (/o,/i) of indices to 
Alice/ such that le is the tuple of indices used by Bob in the PIR invocations 
of step 1, and /g is a tuple containing random indices. Therefore, Alice^ is able 
to guess with probability at least 1/2-1- k~'^ which one of /o,/i is the tuple of 
retrieved indices. This implies, by a hybrid argument, that for some position 
j G {1, . . . , m}, Alice' can guess with probability at least 1/2-1- fc“‘^/m whether 
in the j-th PIR invocation the index used was Zq or i\ . Since all PIR invocations 

^ The number of invocations, m, is a parameter whose value can be set based on the 
communication complexity of V and the target (negligible) probability of error in 
OT, but will always be polynomial in k as will become clear below. 
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Honest-Bob- (J) -OT 

Alice’s inputs: (where fc is a security parameter) and 60,61 £ {0, 1}. 

Bob’s inputs: 1*^ and c £ {0, 1}. 

Additional (common) inputs: a parameter m polynomial in k, and a PIR 
protocol {V,U,TV). 

Instructions for Alice and Bob: 

1. For every j G {1, .. . , m} do: 

— Alice uniformly chooses a data string £ {0, 1}*^ 

(where can be written as x^(l) o • • • o x^(fc), for x^ (i) £ { 0 , 1 }). 

— Bob uniformly chooses an index f £ [fc] 

— Alice and Bob invoke the PIR protocol (V,U,TZ) where Alice plays 
the role of T> on input (1*^, x^) and Bob plays the role of U on input 
(1^, k, V). (That is, Alice and Bob execute {T>,IA) on the above inputs, 
and then Bob applies the reconstruction function TZ to obtain the bit 

x^a^)). 

2 . Bob sets (*c, • • • , *cT) (*^ , • • • ,**") (*the indices retrieved*) 

and uniformly chooses {il, . . . ,i^) from [k]^ . (* random indices*) 

3. Bob sends to Alice (ij, • • • ,*cT) and (ij, . . . ,iT)- 

4. Alice sets zo 60 ©®^ (*o)©. • .(Bx'^{io‘), and zi 6 i©a;^(il)©. . .(Bx'^{i'T) 
and sends zo,zi to Bob; 

5. Bob computes be = Zc(B © ... © x'^{i'^) and outputs: 6 c. 



Fig. 1. A protocol (Alice, Bob) for honest-Bob-(^)-OT , using a PIR protocol 
V = {'D,U,TZ) with cv{k) < k database communication complexity. 



are independent (implying that the indices in different positions within Iq and 
1 1 are independent), it is straightforward to use Alice^ to construct a V which 
distinguishes in a single PIR execution between the index used by the user and 
a random index, with probability at least 1/2 + k~^ /m. Since m is polynomial, 
this is a non-negligible advantage, and thus contradicts the user privacy of V . 



Privacy against Honest-but-Curious Bob. In order to prove that the pair 
(Alice, Bob) satisfies the property of privacy against a honest-but-curious Bob, 
we need to show that the probability that Bob, after behaving honestly in the 
protocol, is able to compute the bit 6 g is at most + (where probability 

is taken over the uniform distribution of 6 q, 61 , and the random strings of Alice 
and Bob). In order to prove this property for an appropriate polynomial number 
m of invocations of {'D,U) in step 1, we start by considering a single invocation. 
In the following lemma we consider the probability p that a malicious user U' , 
after invoking {T>,W) where T> uses a uniformly chosen database, fails in recon- 
structing a bit in a random location j in the database. Note that j is not known 
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to W when running We also note that no further requirements about 

hi' or its computational power are necessary. In the following we show that if 
the database communication complexity is less than the length of the data, this 
failure probability is non-negligible. This is shown by first bounding the binary 
entropy of the failure probability. 

Lemma 1. Let V = {'D,U,TZ) he a PIR scheme with database communication 
complexity cv{k). For every interactive Turing machine W , every reconstruction 
algorithm TV , every rw, and every k, let 

p = Prob [x = xio ■ ■ - o xk ^ {0,1}'"; (r-D,t) ^ t-D,u'{{^’",x),-,l’",ru>); 
j ^ [k] : j) yf xj] 

Then it holds that H{p) > , where H{p) is the binary entropy function 

H{p) =p\og{l/p) + (1 -p) log(l/(l -p)). 

Proof. We need to prove that, for every U' and Ti! , after running {T>,W) with a 
uniform data string for T>, the probability that TZ' fails in reconstructing a data 
bit in a uniformly chosen location j, has binary entropy which is bounded below 
by This is proved using standard information theory arguments (e.g., 

similar arguments have been used in [3]). For background and terminology used 
in the proof below, see for example [9] . 

Let X be the random variable ranging over the data strings (where Xj corre- 
sponds to the j-th bit), and A be the random variable ranging over the database 
answers. Thus, the length of A is at most cx>(fc), implying that H{A) < cx>(fc) 
(where H is the entropy function for random variables). Let X € {0, 1}^ denote 
the user’s reconstruction of the data string X, namely (following the notation in 
the lemma), Xj = TZ' {1^ ,rw ,t^ j) for j G [k]. Let pj = Prob [Xj yf Xj ] be the 
probability of failure in reconstructing the j-th bit. The probability of failure in 
reconstructing a random bit-location is therefore p = (1/fc) • X)j=i Pj- Fano’s 
inequality (see [9]), we have that H{pj) > H{Xj\A), for all j = 1, . . . , k, where 
H{pj) refers to the binary entropy function, and H{Xj\A) is the entropy of Xj 
given A. By the chain rule for entropy, 

k k 

H{X\A) = Y^H{X,\A,Xj_,,...X,)<Y.H^^M) 

i=i i=i 

On the other hand. 



H{X\A) = H{X) - H{A) + H{A\X) = k- H{A) >k- cv{k), 



where the last equality follows since A is determined by X. Putting all the above 
together and using the concavity of the entropy function, we obtain that 



H(P) = > tY.H{p,) > ^Y.H{X,\A) > 



H{X\A) k — CT>{k) 



i=i 



k 

i=i 



k 

i=i 



> 



Indeed, if U had known which location j he would have to reconstruct, he could 
run the honest user algorithm U with input j, and could reconstruct the correct bit 
with high probability using the reconstruction function TZ. 
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□ 

Remark 1. Note that Lemma 1 holds even when cx>{k) is defined as the expected 
database communication complexity (rather than the worst-case one). This is 
because the proof above holds for any cx>(fc) > H{A), and indeed the expected 
length of A is bounded below by the entropy of A (according to the entropy 
bound on data compression [9]). 

The relation between the failure probability p and its binary entropy is given by 
the following fact (the proof follows from the expression for the entropy function 
and is omitted). 

Fact 1 For every e > 0 there exists a constant c > 0 such that for every 0 < 
p<c, plog{l/p) < H{p) < (1 -b e)p\og{l/p). 

The above fact allows us to translate the lower bound on F[ (p) into a lower bound 
on p. For example, a loose manipulation of the fact yields that, for any <5 > 0 and 
small enough p, p > H{py~^^ . More generally, if H{p) is non-negligible then p is 
also non-negligible. For sake of concreteness, we state a corollary bounding the 
failure probability, using 5 = 1. This will be sufficient for our needs, although as 
explained tighter corollaries can be derived. 

Corollary 1. LetV = {V,U,TZ) be a PIR scheme with database communication 
complexity cv{k). The there exists a constant c > 0 such that for every interactive 
Turing machine W , every reconstruction algorithm TV , every rw, and every k, 
letting p be as in Lemma 1, we have that either p > c, or p> (1 — cv{k)/k)'^. 

Thus, if the communication complexity cx>{k) < k, the probability that the 
user fails to reconstruct a bit in a random location after a single execution is 
non-negligible. For example, if CT>{k) = k — 1 this failure probability is at least 
l/poly{k), and if cx>(fc) < k/2 the failure probability is constant. 

Finally, recall that in our protocol Alice and Bob run m independent invo- 
cations of and (since Bob is honest-but-curious), /g = (zg, . . . , z™) is a 

uniformly chosen m-tuple, independent of the random choices made in the PIR 
invocations. Moreover, Bob is able to reconstruct 6g if and only if he can recon- 
struct the exclusive-or of all values a;^(zg) © • • • © a;™(z™), since he receives Zg 
from Alice in step 4. This, together with Corollary 1, yields that for an appropri- 
ately chosen polynomial number m, the failure probability is exponentially close 
to 1, namely Bob’s probability of correctly reconstructing 6g is negligible. We 
conclude that our protocol maintains privacy against honest-but-curious Bob. 

We have proved that the protocol of Figure 1 maintains correctness, privacy 
against Alice, and privacy against honest-but-curious Bob. We have therefore 
proved the following theorem. 

Theorem 1. If there exists a single database PIR scheme with database com- 
munication complexity cv{k) < k, where k is the length of the database, then 
there exists an honest-Bob-Q) -OT protocol with security parameter k. 
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Similarly, it is easy to see that using a PIR scheme for which the data privacy 
requirement holds with respect to honest databases (rather than maliciously 
ones) in the protocol of Figure 1 yields an (^)-OT protocol for which both 
privacy requirement hold with respect to honest Alice and Bob. 

Theorem 2. If there exists a honest-database PIR scheme with database com- 
munication complexity cv{k) < k, where k is the length of the database, then 
there exists an honest-parties-(^^ -OT protocol with security parameter k. 

The following remarks about the full strength of Theorem 1 follow from the 
proof above. 

Round and Communication Complexity. Our protocol for honest-Bob-(^)- 
OT requires the same number of rounds as the underlying PIR protocol V, and 
in particular if V has one round, so is the new protocol. This is so, since all 
the messages that need to be sent by Bob (in steps 1,3 of our protocol) can 
be computed in parallel and sent to Alice in a single message, and similarly all 
messages that need to be sent back by Alice (in steps 1,4) can be sent to Bob in 
a single message. We also note that our theorem holds even when we consider 
expected communication complexity (rather than maximal) . 

Computational Power of the Parties. Our transformation from PIR to 
honest-Bob-(^)-OT preserves the computational power of the parties; namely, if 
T> (resp., hi) runs in polynomial time, then so does Alice (resp.. Bob). In terms 
of privacy, our result is stronger than stated in Theorem 1; namely, the privacy 
against the honest-but-curious Bob is information-theoretic (to see this, observe 
that in the proof of this property we never make any assumption on the computa- 
tional power of Bob, but rather rely on Lemma 1 which is information-theoretic). 
On the other hand, the privacy against Alice requires the same assumptions 
as on the computational power of T> in the PIR protocol {T>,U)\ however, no- 
tice that Alice must be computationally bounded, since there exists no single 
database PIR protocol with communication complexity smaller than the size of 
the database and private against a computationally unbounded database [8] . 
Our Reduction. We note that our construction is a black-box reduction in the 
following sense: the (^)-OT uses the underlying PIR protocol as a subroutine 
with the only guarantee that the total number of bits that user gets regarding the 
database is strictly less then the total size of the database (i.e., without relying on 
any specific features of the implementation, and without making any additional 
assumptions about the implementation.) Thus any idealized implementation of 
this primitive (as a black-box) will also work for our purposes. As a consequence, 
our reduction is also “code-to-code” . That is, any implementation of non-trivial 
Single-Database PIR protocol will also give an implementation of OT. In this 
aspect, our reduction is similar to [4]. 

4 PIR Implies (^)-OT (Even for Dishonest Parties) 

In this section, we transform the protocol given in Figure 1 into a protocol that 
is resilient against arbitrary (possibly dishonest) parties. That is, we prove the 
following analogue of Theorem 1 . 
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Theorem 3. If there exists a single database PIR scheme with database com- 
munication complexity cv{k) < k, where k is the length of the database, then 
there exists an (j^)-OT protocol with security parameter k. Moreover, if the orig- 
inal PIR scheme requires a constant number of rounds then so does the resulting 
Q-OT protocol. 

Proof. Let P be a PIR scheme with database communication cv{k) < k. Theo- 
rem 1 guarantees an implementation of (^)-OT for honest-but-curious Bob. Such 
an implementation may be transformed into one for dishonest parties, using (by 
now standard) techniques originating in [18,19], based on commitment schemes 
and zero-knowledge proofs for NP-complete languages. The resulting reduction, 
however, would return a protocol for (^)-OT having a number of rounds polyno- 
mial in k even if the original PIR scheme has a constant number of rounds. Below 
we sketch a more direct reduction, combining ideas in [19] with techniques for 
witness-indistinguishability protocols from [14], which yields a constant round 
(^)-OT whenever V is a, constant round PIR. 

Let us denote by (Alice, Bob) the (^)-OT scheme obtained applying Theo- 
rem 1 to V. In order to achieve privacy against a possibly dishonest Bob, it is 
enough to design the scheme so that the following two properties are satisfied: 
(1) the two m-tuples of indices (zj, . . . , z™) and (z[, . . . , z™) are uniformly and 
independently distributed over [zz]"*; (2) Bob’s messages during the execution 
of the PIR subprotocols are computed according to the specified program, and 
using randomness that is independently distributed from the above two m-tuple 
of indices. In order to achieve the first property, the two m-tuples are computed 
using a flipping coin subprotocol at the beginning of protocol (Alice, Bob). In 
order to achieve the second property, at the beginning of the protocol Bob com- 
mits to the randomness to be later used while running the PIR subprotocol. 
Specifically, the protocol (Alice, Bob) is modified as follows. 

At the beginning of protocol (Alice, Bob) : 

1. Bob commits to a sufficiently random string R and to randomly chosen in- 
dices (^ 0 , . . ■ , Ilf) and (^(, . . . , If) by sending three commitment keys coma, 
couiQ, coiTii; 

2. Alice sends random indices (hj, . . . , hf) and {h\, . . . , hf); 

3. Bob sets i^ = {h^^ -\- 1^ mod zz) -I- 1, for j = 1, . . . , m and d = 0, 1; 

When required to use indices (z^,... , z™) in step 1 of (Alice, Bob), for each 
message he sends: 

4. Bob proves that the message has been correctly computed according to the 
PIR subprotocol, using the string R committed in step 1 above as random 
tape, and using as a tuple of indices one of the two m-tuples committed in 
step 1 above. This can be written as an NP statement and can be efficiently 
reduced to a membership statement T for an NP complete language. Bob 
proves T to Alice by using a witness-indistinguishable proof system. 

When required to send indices (z;^, . . . , if), for d = 0, 1, in step 3 of (Alice, Bob): 
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5. Bob proves that the two tuples he is sending have been correctly computed 
in the following sense: one is the same used in the PIR subprotocols and one 
is the one out of the two committed in step 1 above not used in the PIR 
subprotocols. This can be written as an NP statement and can be efficiently 
reduced to a membership statement T for an NP complete language. Bob 
proves T to Alice by using a witness-indistinguishable proof system. 

We note that the parallel execution of an atomic zero- knowledge proof sys- 
tem for an NP-complete language as the one in [18] is known to be witness- 
indistinguishable from results in [14] and can be implemented using only 3 rounds 
of communication, and therefore can be used in steps 4 and 5 above. 

Now, let us briefly show that the modified protocol (Alice, Bob) is a (^)-OT 
protocol. First of all, observe that the described modification does not affect the 
property of correctness, which therefore continues to hold. Then observe that the 
fact that the privacy against Alice continues to hold follows from the witness- 
indistinguishability of the proof system used, and the privacy against a possibly 
dishonest Bob follows from the soundness of the proof system used. Moreover, 
the overall number of rounds of the modified protocol (Alice, Bob) is constant 
and no additional complexity assumption is required, since commitment schemes 
and 3-round witness-indistinguishable proof systems for NP complete languages 
can be implemented using any one-way function [20,30] and one-way functions, 
in turn, can be obtained by any low-communication PIR protocol [3] . □ 

We remark that in the case c{k) < k/2 the above transformation can be made 
more efficient (by a polynomial factor) using a direct derivation of commitment 
schemes from low communication PIR, provided in [3]. Finally, using Theorem 2 
and the same techniques as above. Theorem 3 can be strengthened to transform 
even an honest-database PIR into a (^)-OT protocol; that is: 

Theorem 4. If there exists a single database honest-database PIR scheme with 
database communication complexity cv{k) < k, where k is the length of the 
database, then there exists an Q)-OT protocol with security parameter k. 

5 PIR Implies SPIR 

We are now ready to complete the proof of the following theorem. 

Theorem 5. If there exists a single database PIR scheme with communication 
complexity c{n) < n, where n is the length of the database, then there exists 
a single database SPIR scheme with security parameter k and communication 
complexity c{n) • q{k) for some polynomial q. 

Proof. First, by the result of Naor and Pinkas [31], we know that given a fam- 
ily of pseudo-random functions, a (^)-OT primitive, and a single database PIR 
with communication complexity c(n), there exists a single database SPIR pro- 
tocol which uses logn invocations of (^)-OT , and additional communication 
complexity c{n-poly(k)) where n is the length of the data string and k is the secu- 
rity parameter. Next, since PIR implies one-way functions (first proved in [3] and 
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also directly follows from the results in the previous section), PIR also implies 
pseudo-random functions [17,20]. Finally, by our result in the previous section, 
PIR implies (^)-OT (where the communication complexity is some polynomial 
poly' in the security parameter). Thus, we get that PIR implies SPIR with com- 
munication complexity c'(n), satisfying c'(n) = c(n ■ poly{k)) + poly' {k)\ogn = 
poly"{k) ■ c(n), where poly, poly' , poly" are polynomials, fc is a security parame- 
ter, and n is the length of the database. The second equality uses the fact that 
c(n) > log n, which follows from a result proven in [3], namely that in PIR where 
the database sends less than n bits, the user must send at least log n bits of com- 
munication. □ 
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Abstract. Password- based protocols for authenticated key exchange 
(AKE) are designed to work despite the use of passwords drawn from 
a space so small that an adversary might well enumerate, off line, all 
possible passwords. While several such protocols have been suggested, 
the underlying theory has been lagging. We begin by defining a model 
for this problem, one rich enough to deal with password guessing, for- 
ward secrecy, server compromise, and loss of session keys. The one model 
can be used to define various goals. We take AKE (with “implicit” au- 
thentication) as the “basic” goal, and we give definitions for it, and for 
entity-authentication goals as well. Then we prove correctness for the 
idea at the center of the Encrypted Key-Exchange (EKE) protocol of 
Bellovin and Merritt: we prove security, in an ideal-cipher model, of the 
two- flow protocol at the core of EKE. 



1 Introduction 

The Problem. This paper continues the study of password-based protocols for 
authenticated key exchange (AKE) . We consider the scenario in which there are 
two entities — a client and a server — where holds a password pw and 

holds a key related to this. The parties would like to engage in a conversation 
at the end of which each holds a session key, sk, which is known to nobody 
but the two of them. There is present an active adversary A whose capabilities 
include enumerating, off-line, the words in a dictionary , this dictionary being 
rather likely to include pw. In a protocol we deem “good” the adversary’s chance 
to defeat protocol goals will depend on how much she interacts with protocol 
participants — it won’t significantly depend on her off-line computing time. 
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The above protocol problem was first suggested by Bellovin and Merritt [6] , 
who also offer a protocol, Encrypted Key Exchange (EKE), and some informal 
security analysis. This protocol problem has become quite popular, with further 
papers suggesting solutions including [7,15,16,17,18,22,10,11,10,21]. The reason 
for this interest is simple: password-guessing attacks are a common avenue for 
breaking into systems, and here is a domain where good cryptographic protocols 
can help. 

Contributions. Our first goal was to find an approach to help manage the 
complexity of definitions and proofs in this domain. We start with the model 
and definitions of Bellare and Rogaway [4] and modify or extend them appropri- 
ately. The model can be used to define the execution of authentication and key- 
exchange protocols in many different settings. We specify the model in pseudo- 
code, not only in English, so as to provide succinct and unambiguous execution 
semantics. The model is used to define the ideas of proper partnering, fresh- 
ness of session keys, and measures of security for authenticated key exchange, 
unilateral authentication, and mutual authentication. Some specific features of 
our approach are: partnering via session IDs (an old idea of Bellare, Petrank, 
Rackoff, and Rogaway — see Remark 1); a distinction between accepting a key 
and terminating; incorporation of a technical correction to [4] concerning Test 
queries (this arose from a counter-example by Rackoff — see Remark 5); provid- 
ing the adversary a separate capability to obtain honest protocol executions 
(important to measure security against dictionary attacks); and providing the 
adversary corruption capabilities which enable a treatment of forward secrecy. 

We focus on AKE (with no explicit authentication) . Philosophically, AKE is 
more “basic” than a goal like mutual authentication (MA) . Pragmatically, AKE 
is simpler and takes fewer flows (two instead of three) . Earlier work [3] began by 
defining MA and then embellishing the definition to handle an associated key 
exchange. Protocol development followed the same course. That approach gets 
complicated when one adds in the concern for password-guessing security. 

Under our approach resistance to dictionary attacks is just a question of 
advantage vs. resource expenditure. It shows up in theorems, not definitions 
(once the model is adequately refined). A theorem asserting security of some 
protocol makes quantitative how much computation helps and just how much 
interaction does. One sees whether or not one has security against dictionary 
attacks by looking to see if maximal adversarial advantage grows primarily with 
the ratio of interaction to the size of the password space. 

In Section 4 we define EKE2, which is essentially the pair of flows at the 
center of Bellovin and Merritt’s Diffie-Hellman based Encrypted Key Exchange 
protocol [6]. We show that EKE2 is a secure AKE protocol, in the ideal-cipher 
model. Security here entails forward secrecy. 

Related Work. Recently people have been trying to get this area onto firmer 
foundations. The approach has been to build on the ideas of Bellare and Rog- 
away [3,4], extending their definitions to deal with dictionary attacks. Lucks [17] 
was the first work in this vein. Halevi and Krawczyk [14] provide definitions and 
protocols for password-based unilateral authentication (UA) in the model in 
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which the client holds the public key for the server, a problem which is different 
from, but related to, the one we are considering. Some critiques of [14] are made 
by [9], who also give their own, simulation-based notion for password-based UA. 

In contemporaneous work to ours MacKenzie and Swaminathan [18], building 
on [3,14], give definitions and proofs for a password-based MA protocol, and then 
a protocol that combines MA and AKE. Boyko, MacKenzie and Patel, building 
on [1,20], give definitions and a proof for a Diffie-Hellman based protocol. In 
both papers the authors’ motivation is fundamentally the same as our own: to 
have practical and provably secure password-based protocols. 

Ongoing Work. In [5] we provide a simple AKE protocol for the asymmetric 
trust model: the client holds pw and the server holds (pw), where is a one- 
way function. If the adversary corrupts the server she must still expend time 
proportional to the quality of the password. We are working on the analysis. 
We are also investigating the security of EKE2 when its encryption function 
S is instantiated by £pw( ) = • (pw) where is a random oracle and the 

arithmetic is in the underlying group. 



2 Model 

The model described in this section is based on that of [3,4]. In particular we 
take from there the idea of modeling instances of principals via oracles available 
to the adversary; modeling various kinds of attacks by appropriate queries to 
these oracles; having some notion of partnering; and requiring semantic security 
of the session key via Test queries. 

Protogol Partigipants. We fix a nonempty set ID of principals. Each princi- 
pal is either a client or a server: ID is the union of the finite, disjoint, nonempty 
sets Client and Server. Each principal G ID is named by a string, and that 
string has some fixed length. When G ID appears in a protocol flow or as an 
argument to a function, we mean to the string which names the principal. 

Long-Lived Keys. Each principal G Client holds some password, PW4. Each 
server G Server holds a vector pwg = (pwg[ ])A^cuent which contains an 
entry per client. Entry pwg[ ] is called the transformed-password. In a protocol 
for the symmetric model pw^ = pwg[ ]; that is, the client and server share the 
same password. In a protocol for the asymmetric model, pwg[ ] will typically 
be chosen so that it is hard to compute pwj^ from , , and pwg[ ]. The 

password pw^ (and therefore the transformed password pwg[ ]) might be a 
poor one. Probably some human chose it himself, and then installed pwg [ ] at 
the server. We call the pw^ and pwg long-lived keys (LL-keys). 

Figure 1 specifies how a protocol is run. It is in Initialization that pw^ and 
pwg arise: everybody’s LL-key is determined by running a LL-key generator, 
PW . A simple possibility for PIT is that the password for client is determined 
by pwj^ ^ PWa, for some finite set PIT 4 , and pwg[ ] is set to pw^. Notice 
that, in Figure 1, PIT takes a superscript h, which is chosen from space fi. 
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Initialization 


B ^ (,pWj^, AG Client, BGServer t P \V () 

for i e N and U G ID do 

state\j <— READY; acc\j <— term\j <— used\j <— FALSE 
sid\j ^ pid\j ^ sk\j ^ undef 


Send (U, i, M) 


used\j <— TRUE; if term\j then return invalid 
(msq-out, acc, terrnir, sid, pid, sk, stateh) <— 
P\{U,pw^,state\j,M)) 
if acc and -nacc\j then 

sid\j <— sid\ pid\j <— pid-, sk\j <— sk-, acc\j <— true 
return {msg-out, sid, pid, acc, term\j) 


Reveal {U, i) 


return sk\j 


Corrupt (U, pw) 


if U £ Client and pw 7 ^ dontChange then 
for B £ Server do p-Wg[U] = pw[B] 
return (pw^, {stoteb}ieN) 


Execute [A, i, B,j) 


if A ^ Client or B ^ Server or used\ of used^g 

then return invalid 
msg-in ^ B 

for t ^ 1 to 00 do 

{msg-out, sid, pid, acc, termA) Send {A, i, msg-in)) 
at <— {msg-out, sid, pid, acc, termA) 

if termA and terms then return {ai, fli, az, (Iz, ■ ■ ■ ,at) 
{msg-out, sid, pid, ace, terms) Send {B, j, msg-in)) 

(5t ^ {msg-out, sid, pid, ace, terms) 

if termA and terms then return {a\, (5\,a2, (I 2 , ■ ■ ■ ,at,(3t) 


Test (U, i) 


sk df SK-, b df {0, 1}; if -^term\j then return invalid 
if 6 = 1 then return sk\j else return sk 


Oracle (M) 


return h{M) 



Fig. 1. The model. The protocol is , the LL-key generator is PW, and the 
session-key space SK. Probablity space 17 depends on the model of computation. 



This lets PFF’s behavior depend on an idealized hash function. Different LL-key 
generators can be used to capture other settings, like a public-key one. 

Executing the Protocol. Formally, a protocol is just a probabilistic algo- 
rithm taking strings to strings. This algorithm determines how instances of the 
principals behave in response to signals (messages) from their enviornment. It 
is the adversary who sends these signals. As with the LL-key generator, may 
depend on h. 

Adversary A is a probabilistic algorithm with a distinguished query tape. 
Queries written on this tape are answered as specified in Figure 1. The following 
English-language description may clarify what is happening. 

During the exeuction there may be running many instances of each princi- 
pal G ID. We call instance i of principal an oracle, and we denote it 
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Each instance of a principal might be embodied as a process (running on some 
machine) which is controlled by that principal. 

A client-instance speaks first, producing some first message, Flowl. A server- 
instance responds with a message of its own, Flow2, intended for the client- 
instance which sent Flowl. This process is intended to continue for some fixed 
number of flows (usually 2-5), until both instances have terminated. By that 
time each instance should have accepted, holding a particular session key (SK), 
session id (SID), and partner id (BID). Let us describe these more fully. 

At any point in time an oracle may accept. When an oracle accepts it holds 
a session key sk, a session id sid, and a partner id pid. Think of these values 
as having been written on a write-only tape. The SK is what the instance was 
aiming to get. It can be used to protect an ensuing conversation. The SID is an 
identifier which can be used to uniquely name the ensuing session. It is also useful 
definitionally. The PID names the principal with which the instance believes it 
has just exchanged a key. The SID and PID aren’t secret — indeed we will hand 
them to the adversary — but the SK certainly is. A client-instance and a server- 
instance can accept at most once. 

Remark 1. In this paper we use session IDs as our approach to defining partner- 
ing. This idea springs from discussions in 1995 among Bellare, Petrank, Backoff, 
and Rogaway. In [3] the authors define partnering via “matching conversations,” 
while in [4] the authors define partnering by way of an existentially guaran- 
teed partnering function. Though all three approaches are reasonable, the use of 
matching-conversations can be criticized as focussing on a syntactic element that 
is ultimately irrelevant, while partnering via an existentially-guarateed partner- 
ing function allows for some unintuitive partnering functions. An explicit SID 
seems an elegant way to go. Specification document defining “real” protocols 
(eg., SSL and IPSec) typically do have SIDs, and in cases where an SID was 
not made explicit one can readilly define one (eg., by the concatenation of all 
protocol flows). □ 



Remark 2. We emphasize that accepting is different from terminating. When 
an instance terminates, it is done — it has what it wants, and won’t send out 
any further messages. But an instance may wish to accept now, and terminate 
later. This typically happens when an instance believes it is now holding a good 
session key, but, prior to using that key, the instance wants confirmation that 
its desired communication partner really exists, and is also holding that same 
session key. The instance can accomplish this by accepting now, but waiting for 
a confirmation message to terminate. The distinction between terminating and 
accepting may at first seem artificial, but the distinction is convenient and it is 
typical of real MA protocols. It can be seen as an “asymmetry-breaking device” 
for dealing with the well-known issue that the party who sends the last flow is 
never sure if it was received. □ 

Our communications model places the adversary at the center of the universe. 
The adversary A can make queries to any instance: she has an endless supply of 
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Ij oracles ( € ID and z G N). There are all together six types of queries that 

A can make. The responses to these queries are specified in Figure 1. We now 
explain the capability that each kind of query captures. 

(1) Send ( z ) — This sends message to oracle The oracle computes 
what the protocol says to, and sends back the response. Should the oracle accept, 
this fact, as well as the SID and PID, will be made visible to the adversary. Should 
the oracle terminate, this too will be made visible to the adversary. To initiate 
the protocol with client trying to enter into an exchange with server the 
adversary should send message = to an unused instance of . A Send-query 
models the real-world possibility of an adversary A causing an instance to come 
into existence, for that instance to receive communications fabricated by A, and 
for that instance to respond in the manner prescribed by the protocol. 

(2) Reveal ( z) — If oracle Ijj has accepted, holding some session key sk, then 
this query returns sk to the adversary. This query models the idea (going back 
to Denning and Sacco [12]) that loss of a session key shouldn’t be damaging to 
other sessions. A session key might be lost for a variety of reasons, including 
hacking, cryptanalysis, and the prescribed-release of that session key when the 
session is torn down. 

(3) Corrupt ( pw) — The adversary obtains pwy and the states of all instances 
of (but see Remark 3). This query models the possibility of subverting a 
principal by, for example, witnessing a user type in his password, installing a 
“Trojan horse” on his machine, or hacking into a machine. Obviously this is a 
very damaging type of query. Allowing it lets us deal with forward secrecy and 
the extent of damage which can be done by breaking into a server. A Corrupt 
query directed against a client may also be used to replace the value of pwg [ ] 
used by server . This is the role of the second argument to Corrupt. Including 
this capability allows a dishonest client to try to defeat protocol aims by 
installing a strange string as a server ’s transformed password pwg [ ] . 

(4) Execute ( z ) — Assuming that client oracle \ and server oracle ^ 
have not been used, this call carries out an honest execution of the protocol be- 
tween these oracles, returning a transcript of that execution. This query may at 
first seem useless since, using Send queries, the adversary already has the ability 
to carry out an honest execution between two oracles. Yet the query is essential 
for properly dealing with dictionary attacks. In modeling such attacks the ad- 
versary should be granted access to plenty of honest executions, since collecting 
these involves just passive eavesdropping. The adversary is comparatively con- 
strained in its ability to actively manipulate flows to the principals, since bogus 
flows can be auditied and punative measures taken should there be too many. 

(5) Test ( z) — If Ij has accepted, holding a session key sk, then the following 
happens. A coin is flipped. If it lands = 0, then sk is returned to the adversary. 
If it lands = 1, then a random session key, drawn from the distribution from 
which session keys are supposed to be drawn, is returned. This type of query is 
only used to measure adversarial success — it does not correspond to any actual 
adversarial ability. You should think of the adversary asking this query just once. 
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(6) Oracle ( ) — Finally, we give the adversary oracle access to a function h, 

which is selected at random from some probability space f2. As already remarked, 
not only the adversary, but the protocol and the LL-key generator may depend 
on h. The choice of determines if we are woking in the standard model, ideal- 
hash model, or ideal-cipher model. See the discussion below. 

Remark 3. As described in Figure 1, a Corrupt query directed against releases 
the LL-key pwj/ and also the current state of all instances of . We call this 
the “strong-corruption model.” A weaker type of Corrupt query returns only the 
LL-key of that principal. We call this the “weak-corruption model.” The weak- 
corruption model corresponds to acquiring a principal’s password by coaxing it 
out of him, as opposed to completely compromising his machine. □ 

Remark 4- Notice that a Corrupt query to does not result in the release of the 
session keys owned by . The adversary already has the ability to obtain session 
keys through Reveal queries, and releasing those keys by a Corrupt query would 
make forward secrecy impossible. □ 

Remark 5. Soon after the appearance of [4], Rackoff [19] came up with an ex- 
ample showing how the definition given in that paper was not strong enough to 
guarantee security for certain applications using the distributed session key. The 
authors of [4] traced the problem to a simple issue: they had wrongly made the 
restriction that the Test query be the adversary’s last. Removal of this restriction 
solved the problem. This minor but important change in the definition of [4], 
made in 1995, has since been folklore in the community of researchers in this 
area, and is explicitly incorporated into our current work. □ 

Standard Model, Ideal-Hash Model, Ideal-Cipher Model. Figure 1 
refers to probability space Q. We consider three possiblities for Q, giving rise to 
three different models of computation. 

In the standard model Q is the distribution which puts all the probability 
mass on one function: the constant function which returns the empty-string, , 
for any query . So in the standard model, all mention of h can be ignored. 

Fix a finite set of strings C. In the ideal- hash model (also called the random- 
oracle model) choosing a random function from fi means choosing a random 
function h from {0 1}* to C. This models the use of a cryptographic hash function 
which is so good that, for purposes of analysis, one prefers to think of it as a 
public random function. 

Fix finite sets of strings Q and C where |tl| = jCj. In the ideal-cipher model 
choosing a random function h from 17 amounts to giving the protocol (and the 
adversary) a perfect way to encipher strings in Q: namely, for G {0 1}*, we 
set Sk- — > C to be a random one-to-one function, and we let £k- {0 1}* ^ G 
be defined by T>k ( ) is the value such that £k ( ) = , if G C, and bad 
otherwise. We let Ii(encrypt ) = ( ) and Ii(decrypt ) = T>k{ )■ 

The capabilities of the ideal-hash model further include those of the ideal-cipher 
model, by means of a query ft,(hash ) which, for shorthand, we denote ( ). 
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The ideal-cipher model is very strong (even stronger than the ideal-hash 
model) and yet there are natural and apparently-good ways to instantiate an 
ideal cipher for use in practical protocols. See [8]. Working in this model does 
not render trivial the goals that this paper is interested in, and it helps make 
for protocols that don’t waste any bits. A protocol will always have a clearly- 
indicated model of computation for which it is intended so, when the protocol 
is fixed, we do not make explicit mention of the model of compuation. 

Remark 6. The ideal-cipher model is richer than the RO-model, and you can’t 
just say “apply the Feistel construction to your random oracle to make the 
cipher.” While this may be an approach to instantiating an ideal-cipher, there is 
no formal sense we know in which you can simulate the ideal-cipher model using 
only the RO-model. □ 

3 Definitions 

Our definitional approach is from [4] , but adaptations must be made since part- 
nerning is defined in a different manner than in [4] (as discussed in Section 2), 
and since we now consider forward secrecy as one of our goals. 

Partnering Using SIDs. Fix a protocol , adversary A, LL-key generator 
PW , and session-key space SK . Run in the manner specified in Section 2. In 
this execution, we say that oracles ^ and }j, are partnered (and each oracle 
is said to be a partner of the other) if both oracles accept, holding {sk sid pid) 
and {sk' sid' pid') respectively, and the following hold: 

(1) sid = sid' and sk = sk' and pid = ' and pid' = 

(2) G Client and ' G Server, or G Server and ' G Client. 

(3) No oracle besides ^ and [j, accepts with a PID of pid. 

The above definition of partnering is quite strict. For two oracles to be partners 
with one another they should have the same SID and the same SK, one should 
be a client and the other a server, each should think itself partnered with the 
other, and, finally, no third oracle should have the same SID. Thus an oracle 
that has accepted will have a single partner, if it has any partner at all. 

Two Flavors of Freshness. Once again, run a protocol with its adversary. 
Suppose that the adversary made exactly one Test query, and it was to }j. 
Intuitively, the oracle [j should be considered unfresh if the adversary may 
know the SK contained within it. 

In Figure 2 we define two notions of freshness — with and witout forward se- 
crecy (fs). Here is the notation used in that figure. We say “RevealTo ( z)” 

is true iff there was, at some point in time, a query Reveal ( z). We say 

“RevealToPartnerOf ( z)” is true iff there was, at some point in time, a query 

Reveal ( ' i') and is a partner to [j. We say “Somebody WasCorrupted” 
is true iff there was, at some point in time, a query Corrupt ( ' pw) for some 
' pw. We say “Somebody WasCorruptedBeforeTheTestQuery ” is true iff there 
was a Corrupt ( ' pw) query and this query was made before the Test ( z) 
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The basic notion of freshness (no requirement for forward secrecy): 

if [RevealTo ([/, i)] or [RevealToPartnerOf {U, i)] or 
[SomebodyWasCorrupted] then unfresh else fresh 

A notion of freshness the incorporates a requirement for forward secrecy: 

if [RevealTo {U, i)] or [RevealToPartnerOf {U, i)[ or 

[SomebodyWasCorruptedBeforeTheTestQuery and Manipulated (?7, i)[ 
then fs-unfresh else fs-fresh 



Fig. 2. Session-key freshness. A Test query is made to oracle The chart 
specifies how, at the end of the execution, the session key of that oracle should 
be regarded (fresh or unfresh, and fs-fresh or fs-unfresh). Notation is described 
in the accompanying text. 



query. We say that “Manipulated( z)” is true iff there was, at some point in 
time, a Send ( z ) query, for some string 

Explanation. In our definition of security we will be “giving credit” to the 
adversary A if she specifies a fresh (or fs-fresh) oracle and then correctly iden- 
tifies if she is provided the SK from that oracle or else a random SK. We make 
two cases, according to whether or not “forward secrecy” is expected. Recall 
that forward secrecy entails that loss of a long-lived key should not compromise 
already-distributed session keys. 

Certainly an adversary can know the SK contained within an oracle ^ if she 
did a Reveal query to ij, or if she did a Reveal query to a partner of This 
accounts for the first two disjuncts in each condition of Figure 2. The question is 
whether or not a Corrupt query may divulges the SK. Remember that a Corrupt 
query does actually return the SK, but it does return the LL-key. For the “basic” 
notion of security (fresh/unfresh) we pessimistically assume that a Corrupt query 
does reveal the session key, so any Corrupt query makes all oracles unfresh. (One 
could tighten this a little, if desired.) For the version of the definition with 
forward secrecy a Corrupt query may reveal a SK only if the Corrupt query was 
made before the Test query. We also require that the Test query was to an oracle 
that was the target of a Send query (as opposed to an oracle that was used in 
an Execute query). (Again, this can be tightened up a little.) This acts to build 
in the following requirement: that even after the Corrupt query, session keys 
exchanged by principals who behave honestly are still fs-fresh. This is a nice 
property, and since it seems to always be achieved in protocols which achieve 
forward secrecy, we have lumped it into that notion. This was done amounts 
to saying that an “honest” oracle — one that is used only for an Execute call — 
is always fs-fresh, even if there is a Corrupt query. (Of course you still have to 
exclude the the possiblity that the oracle was the target of a Reveal query, or 
that its partner was.) 

Remark 7. Forward secrecy, in the strong-corruption model, is not achievable by 
two-fiow protocols. The difficulty is the following. A two- flow protocol is client- 
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to-server then server-to-client. If the client oracle is corrupted after the server 
oracle has terminated but before the client oracle has received the response, then 
the server oracle will be fs-fresh but the adversary can necessarilly compute the 
shared SK since the adversary has the exact same information that the client 
oracle would have had the client oracle received the server oracle’s flow. 

One way around this is to go to the weak-corruption model. A second way 
around this is to add a third flow to the protocol. A final way around this is to 
define a slightly weaker notion of forward secrecy, weak forward-secrecy, in which 
an oracle is regarded as “wfs-unfresh” if it fs-unfresh, or the test query is to a 
manipulated oracle, that oracle is unpartnered at termination, and somebody 
gets corrupted. Otherwise the oracle is wfs-fresh. □ 

AKE Security (With and without Forward Secrecy). In a protocol 
execution of PW SK A we say that A wins, in the AKE sense, if she asks 
a single Test-query, Test ( i), where ^ has terminated and is fresh, and A 

outputs a single bit, ', and ' = (where is the bit selected during the Test 
query) . The ake advantage of A in attacking ( P W SK) is twice the probability 
that A wins, minus one. (The adversay can trivially win with probability 1/2. 
Multiplying by two and subtracting one simply rescales this probability.) We 
denote the ake advantage by Advp*^P( 4 / gp-(A). 

We similarly define the ake-fs advantage, Advp*^pJ^ 5 p^(A), where now one 
insists that the oracle p to which the Test-query is directed be fs-fresh. 

Authentication. In a protocol execution of PW SK A, we say that an 
adversary violates client-to-server authentication if some server oracle terminates 
but has no partner oracle. We let the c2s advantage be the probablity of this 
event, and denote it by Adv^P(4/ ^p-(A). We say that an adversary violates 
server-to-client authentication if some client oracle terminates but has no partner 
oracle. We let the s2c advantage be the probability of this event, and denote 
it by Advp p(4/ 5p-(A). We say that an adversary violates mutual authentication 
if some oracle terminates, but has no partner oracle. We let the ma advantage 
denote the probablity of this event, and denote it by Advp p^y (A). 

Measuring Adversarial Resources. We are interested in an adversary’s 
maximal advantage in attacking some protocol as a function of her resources. 
The resources of interest are: 

• — the adversary’s running time. By convention, this includes the amount 
of space it takes to describe the adversary. 

• se, re> coj ex, or — these count the number of Send, Reveal, Corrupt, 
Execute, and Oracle queries, respectively. 

When we write Advp*^p^y (resources), overloading the Adv-notation, it means 
the maximal possible value of Advp^Pi.y gp- (A) among all adversaries that expend 
at most the specified resources. By convention, the time to sample in PW (one 
time) and to sample in SK (one time) are included in Advp.piv,SA(resources) 
(for each type of advantage). 
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Diffie-Hellman Assumption. We will prove security under the computational 
Difhe-Hellman assumption. The concrete version of relevance to us is the follow- 
ing. Let = ( ) be a finite group. We assume some fixed representation for 
group elements, and implicitly switch between group elements and their string 
representations. Let A be an adversary that outputs a list of group elements, 
1 q. Then we define 

Advg'(A)=Pr[ ^{1 II}: ^)] and 

Advg'( ) = max{Advg;^(Al)} 

where the maximum is over all adversaries that run in time at most and output a 
list of group elements. As before, includes the description size of adversary A. 

4 Secure AKE: Protocol EKE2 

In this section we prove the security of the two flows at the center of Bellovin 
and Merritt’s EKE protocol [6]. Here we define the (slightly modified) “piece” 
of EKE that we are interested in. 

Description of EKE2. This is a Diffie-Hellman key exchange in which each 
flow is enciphered by the password, the SK is sk = ( || || ’^ || ^ || 

and the SID and PID are appropriately defined. The name of the sender also 
accompanies the first flow. See Figures 3 and 4. 

Arithmetic is in a flnite cyclic group G = { )■ This group could he Q = Z*, 
or it could be a prime-order subgroup of this group, or it could be an elliptic 
curve group. We denote the group operation multiplicatively. The protocol uses 
a cipher S : Password x G ^ C, where pw^ € Password for all € Client. 
There are many concrete constructions that could be used to instantiate such 
an object; see [8]. In the analysis this is treated as an ideal cipher. Besides the 
cipher we use a hash function . It outputs -bits, where is the length of the 
session key we are trying to distribute. Accordingly, the session- key space SK 
associated to this protocol is {0 1}^ equipped with a uniform distribution. 

Security Theorem. The following indicates that the security of EKE2 is about 
as good as one could hope for. We consider the simple case where Password has 
size and all client passwords are chosen uniformly (and independently) at 
random from this space. Formally this initialization is captured by defining the 
appropriate LL-key generator PW.lt picks pw^ Password for each G Client 
and sets pwg[ ] = pw^ for each G Server and € Client. It then sets 
PWb = (pwgl ])AeCUent and outputs (pw^ pwB)AeCUent, BeServer- The theorem 
below assumes that the space Password is known in the sense that it is possible 
to sample from it efficiently. 

Theorem 1. Let se re co ex or be integers and let = se + re + co + 
ex + or- Let Password he a finite set of size and assume 1 < < \/|^/ . 

Let PW be the associated LL-key generator as discussed above. Let be the 
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Fig. 3. The protocol EKE2. Depicted are flows of an honest execution. The 
shared session key is sfc = ( |j || ® || ^ || and shared session ID is 

sid = II Spv, ( A II II ( ^)- The partner ID for is pidj^ = and the 
partner ID for is pidg = 



EKE2 protocol and let SK he the associated session-key space. Assume the weak- 
corruption model. Then 

AdVp p^ ge re co ex or) 

^ se it \ I ( ) I (^) 

<-+ ge- or-Adv,,^( 

where ' = + ( se + or) • ^ 

Remark 8. Since EKE2 is a two-flow protocol, Remark 7 implies that it cannot 
achieve forward secrecy in the strong-corruption model. Accordingly the above 
theorem considers the weak-corruption model with regard to forward secrecy. 
The resistance to dictionary attacks is captured by the first term which is the 
number of send queries divided by the size of the password space. The other 
terms can be made negligible by an appropriate choice of parameters for the 
group Q. □ 



Remark 9. The upper bound imposed in the theorem on the size of the pass- 
word space is not a restriction because if the password space were larger the 
question of dictionary attacks becomes moot: the adversary cannot exhaust the 
password space off-line anyway. Nonetheless it may be unclear why we require 
such a restriction. Intuitively, as long as the password space is not too large the 
adversary can probably eliminate at most one candidate password from consid- 
eration per Send query, but for a larger password space it might in principle be 
able to eliminate more at a time. This doesn’t damage the success probability 
because although it eliminates more passwords at a time, there are also more 
passwords to consider. □ 

The proof of Theorem 1 is omitted due to lack of space and can be found in the 
full version of this paper [2]. We try however to provide a brief sketch of the 
main ideas in the analysis. 
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if state = READY and U £ Client then // A sends the first flow 

{A) <— U (B) <— msg-in, where B G Server 

,|G|} X ^ X*^£p„{X) msg-out^A\\X* 

sid ^ pid ^ sk ■!— e ace <— term <— FALSE state <— {x, B) 
return (msg-out, ace, term, sid, pid, sk, state) 

else if state = ready and U £ Server then // B sends the second flow 
(_B) <— U (A,X*) <— msg-in, where A £ Client and X* is a ciphertext 
y^{l,... ,|G|} Y^gy Y*^8p^{Y) 

X ^ Vp^ (X*) K ^ xy msg-out ^ Y* 

sid ^ A\\ X* \\ B li Y* pid ^ A sk ^ H{A \\ B\\ X \\Y || K) 
ace <— term ^ true state ^ done 
return (msg-out, ace, term, sid, pid, sk, state) 

else if state = (x, B) and U £ Client then // A receives the second flow 
(Y*) <— msg-in, where Y* is a ciphertext 
Y^Vp^iY*) K^Y^ 

sid ^ A\\ X* \\ B II y* pid ^ B sk ^ H(A || B || X || y || K) 
ace ^ term ^ true state ^ done 
return (msg-out, ace, term, sid, pid, sk, state) 



Fig. 4. Definition of EKE2. The above defines both client and server behavior, 
^(( pw state msg-in)). 



Assume for simplicity there is just one client and one server . Consider 
some adversary A attacking the protocol. We view A as trying to guess ’s 
password. We consider at any point in time a set of “remaining candidates.” 
At first this equals Password, and as time goes on it contains those candidate 
passwords that the adversary has not been able to eliminate from consideration 
as values of the actual password held by . We also define a certain “bad” event 
in the execution of the protocol with this adversary, and show that as long as 
this event does not occur, two things are true: 

(1) ’s password, from the adversary’s point of view, is equally likely to be any 
one from the set of remaining passwords, and 

(2) The size of the set of remaining passwords decreases by at most one with 
each oracle query, and the only queries for which a decrease occurs are 
reveal or test queries to manipulated oracles. 

The second condition implies that the number of queries for which the decrease 
of size in the set of remaining candidates occurs is bounded by se- We then show 
that the probability of the bad event can be bounded in terms of the advantage 
function of the DH problem over Q. 

Making this work requires isolating a bad event with two properties. First, 
whenever it happens we have a way to “embed” instances of the DH problem 
into the protocol so that adversarial success leads to our obtaining a solution to 
the DH problem. Second, absence of the bad event leads to an inability of the 
adversary to obtain information about the password at a better rate than elimi- 
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nating one password per reveal or test query to a manipulated oracle. Bounding 
the probability of the bad event involves a “simulation” argument as we attempt 
to “plant” DH problem instances in the protocol. Bounding adversarial success 
under the assumption the bad event does not happen is an information-theoretic 
argument. Indeed, the difficulty of the proof is in choosing the bad event so that 
one can split the analysis into an information-theoretic component and a com- 
putational component in this way. 



5 Adding Authentication 

In this section we sketch generic transformations for turning an AKE proto- 
col ' into a protocol that provides client-to-server authentication, server-to- 
client authentication, or both. The basic approach is well-known in folklore — use 
the distributed session key to construct a simple “authenticator” for the other 
party — but one has to be careful in the details, and people often get them wrong. 

The ease with which an AKE protocol can be modified to provide authenti- 
cation is one of the reasons for using AKE as a starting point. 

In what follows we assume that the AKE protocol ' is designed to distribute 
session keys from a space SK = the uniform distribution on -bit strings. 

While a pseudorandom function is sufficient for adding authentication to an 
AKE protocol, for simplicity (and since one likely assumes it anyway, in any 
practical password-based AKE construction) we assume (at least) the random- 
oracle model. The random hash function is denoted . Its argument (in our 
construction) will look like sk' || i, where sk' is an -bit string and z is a fixed- 
length string encoding one of the numbers 0, 1, or 2. We require that the AKE 
protocol never evaluates at any point of the form sk' || 0, sk' || 1, or sk' || 2, 
where G {0 1}^. 

The Transformations. The transformation AddCSA (add client-to-server au- 
thentication) works as follows. Suppose that in protocol ' the client has 
accepted sk(^, sid'j^, pid'^, and suppose that then terminates. In protocol 
= AddCSA( ') have send one additional flow, authA = {sk'A || 2), have 
accept skA = {sk'A || 0), sidA = sid'A, pidA = pid'A, and have terminate, 
saving no state. On the server side, suppose that in ' the server accepts sk'^, 
szdg , pzdg , and terminates. In protocol have receive one more flow, 

Have check if auth'A = {sk'^ || 2). If so, then accepts sJcg = (skg || 0), 

sidB = sid'^, pid^ = pid'^, and then terminates, without saving any state. 
Otherwise, terminates (rejecting), saving no state. 

Transformations AddSCA (add server-to-client authentication) and AddMA 
(add mutual authentication) are analogous. The latter is illustrated in Figure 5. 
In all of these transformation, when a party ends up sending two consecutive 
flows, one can always collapse them into one. 

Remark 10. It is crucial in these transformations that the SK produced by ' 
is not used both to produce an authenticator and as the final session key; if 
one does this, the protocol is easily seen to be insecure under our definitions. 
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j^pw ^ pw 

*-{!,... , 151 } 

A II gpw(ff‘^) 

,151} 

sk' ^ 

£,^{g^) II f^(5fc'||l) 



sk' ^ H(A\\B\\g^\\gy\\g^y) 

H{sk'\\2) 



Fig. 5. Flows of an honest execution of AddMA(EKE2). The shared SK is 
sk = {sk' II 0) and the shared SID is sid = || || || £pw ( ^)- The 

PID for is and the PID for is 



This is a common “error” in the design of authentication protocols. It was first 
discussed [3] . □ 

Properties. Several theorems can be pursued about how the security of ' 
relates to that of AddCSA( '), AddSCA( '), and AddMA( '). These capture 
the following. If ' is good in the sense of Adv®'*^® then AddCSA( ') is good in the 
sense of Adv®'*^® and Adv®^®. If ' is good in the sense of Adv®'^® then AddSCA( ') 
is good in the sense of Adv®'*^® and Adv®^®. If ' is good in the sense of Adv®'^® then 
AddMA( ') is good in the sense of Adv®'*^®, Adv®^®, and Adv®^®. The weak form 
of forward secrecy mentioned in Remark 7 is also interesting in connection with 
AddCSA and AddMA, since these transformations apparently “upgrade” good 
weak forward secrecy, Adv®'*^® to good ordinary forward secrecy, Adv®'*^® 

Simplifications. The generic transformations given by AddCSA, AddSCA and 
AddMA do not always give rise to the most efficient method for the final goal. 
Consider the protocol AddMA(EKE2) of Figure 5. It would seem that the en- 
cryption in the second flow can be eliminated and one still has a good protocol 
for AKE with MA. However, we know of no approach towards showing such a 
protocol secure short of taking the first two flows of that protocol and showing 
that they comprise a good AKE protocol with server-to-client authentication, 
and then applying AddCSA transformation. 

Given the complexity of proofs in this domain and the tremendous variety of 
simple and plausibly correct protocol variants, it is a major open problem in this 
area to And techniques which will let us deal with the myriad of possibilities, 
proving the correct ones correct, without necessitating an investment of months 
of effort to construct a “rigid” proof for each and every possibility. 
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Abstract. When designing password-authenticated key exchange pro- 
tocols (as opposed to key exchange protocols authenticated using crypto- 
graphically secure keys), one must not allow any information to be leaked 
that would allow verification of the password (a weak shared key), since 
an attacker who obtains this information may be able to run an off-line 
dictionary attack to determine the correct password. We present a new 
protocol called PAK which is the first Diflie-Hellman-based password- 
authenticated key exchange protocol to provide a formal proof of secu- 
rity (in the random oracle model) against both passive and active ad- 
versaries. In addition to the PAK protocol that provides mutual explicit 
authentication, we also show a more efficient protocol called PPK that 
is provably secure in the imp/icit-authentication model. We then extend 
PAK to a protocol called PAK-X, in which one side (the client) stores a 
plaintext version of the password, while the other side (the server) only 
stores a veriher for the password. We formally prove security of PAK-X, 
even when the server is compromised. Our formal model for password- 
authenticated key exchange is new, and may be of independent interest. 



1 Introduction 

Two entities, who only share a password, and who are communicating over an 
insecure network, want to authenticate each other and agree on a large session 
key to be used for protecting their subsequent communication. This is called the 
password-authenticated key exchange problem. If one of the entities is a user and 
the other is a server, then this can be seen as a problem in the area of remote user 
access. Many solutions for remote user access rely on cryptographically secure 
keys, and consequently have to deal with issues like key management, public- key 
infrastructure, or secure hardware. Many solutions that are password-based, like 
telnet or Kerberos, have problems that range from being totally insecure (telnet 
sends passwords in the clear) to being susceptible to certain types of attacks 
(Kerberos is vulnerable to off-line dictionary attacks [30]). 

Over the past decade, many password-authenticated key exchange protocols 
that promised increased security have been developed, e.g., [8,9,19,18,28,21,22], 
[24,29]. Some of these have been broken [26], and, in fact, only two very recent 
ones have been formally proven secure. The SNAPI protocol in [25] is proven 
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secure in the random oracle model [5,6,14], assuming the security of RSA (and 
also Decision Diffie-Hellman [11], when perfect forward secrecy is desired). The 
simple and elegant protocol in [3] is proven as secure as Decision Diffie-Hellman 
in a model that includes random oracles and ideal block ciphers. (Our protocol 
and the protocol of [3] were developed independently.) 

We present a new password-authenticated key exchange protocol called PAK 
(Password Authenticated Key exchange), which provides perfect forward secrecy 
and is proven to be as secure as Decision Diffie-Hellman in the random oracle 
model. Compared to the protocol of [25], PAK (1) does not require the RSA 
assumption, (2) has fewer rounds, and (3) is conceptually simpler, with a simpler 
proof. Compared to the protocol of [3], PAK does not require an ideal block 
cipher assumption for security, but has a more complicated proof. (We note that 
the ideal block cipher assumption is used much less often in the literature than 
the random oracle assumption.) In the full paper [13], we also show how the 
security of PAK can be related to the Computational Diffie-Hellman problem. 

In addition to PAK, we also show a more efficient 2 round protocol called 
PPK (Password-Protected Key exchange) that is provably secure in the implicit- 
authentication model. We then extend PAK to a protocol called PAK-X, in 
which one side (the client) stores a plaintext version of the password, while the 
other side (the server) only stores a verifier for the password. We formally prove 
security of PAK-X, even when the server is compromised. Security in this case 
refers to an attacker not being able to pose as a client after compromising the 
server; naturally, it would be trivial to pose as the server. 

Our formal model for password-authenticated key exchange is new, and may 
be of independent interest. It is based on the formal model for secure key ex- 
change by Shoup [27] (which follows the work of [2]), enhanced with notions of 
password authentication security from [20,25]. This model is based on the multi- 
party simulatability tradition (e.g. [1]), in which one first defines an ideal system 
that models, using a trusted center, the service to be performed (in this case, 
password-authenticated key exchange), and then one proves that the protocol 
running in the real world is essentially equivalent to that ideal system. 



2 Background 

User Authentication: Techniques for user authentication are broadly based 
on one or more of the following categories: (1) what a user knows, (2) what a 
user is, or (3) what a user has. The least expensive and most convenient solutions 
for user authentication have been based on the first category, of “what a user 
knows,” and that is what we will focus on in this paper. 

In fact, we will focus on the harder problem of remote user authentieation. 
The need for remote user authentication is greatly increasing, due mainly to the 
explosive growth of the Internet and other types of networks, such as wireless 
communication networks. In any of these environments, it is safest to assume 
that the underlying links or networks are insecure, and we should expect that 
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a powerful adversary would be capable of eavesdropping, deleting and inserting 
messages, and also initiating sessions. 

Now we consider the question, “What can a user know?” It is common knowl- 
edge that users cannot remember long random numbers, hence if the user is 
required to know a large secret key (either symmetric or private/public) then 
these keys will have to be stored on the user’s system. Furthermore, keeping 
these secret requires an extra security assumption and introduces a new point of 
weakness. Even if a user is required to know some public but non-generic data, 
like the server’s public key, this must be stored on the user’s system and requires 
an extra assumption that the public key cannot be modified. In either case, (I) 
there is a significant increase in administration overhead because both secret and 
public keys have to be generated and securely distributed to the user’s system 
and the server, and (2) this would not allow for users to walk up to a generic 
station that runs the authentication protocol and be able to perform secure re- 
mote authentication to a system that was previously unknown to that station 
(such as, perhaps, the user’s home system). 

To solve these problems one may wish to use a trusted third party, either 
on-line (as in Kerberos) or off-line (i.e., a certification authority). However, the 
fact that the third party is “trusted” implies another security requirement. Also, 
the users or servers must at some point interact with the third party before they 
can communicate remotely, which increases the overhead of the whole system. 
Naturally, if an organized and comprehensive PKI emerges, this may be less of 
a problem. Still, password-only protocols seem very inviting because they are 
based on direct trust between a user and a server, and do not require the user 
to store long secrets or data on the user’s system. They are thus cheaper, more 
flexible, and less administration-intensive. They also allow for a generic protocol 
which can be pre-loaded onto users’ systems. 

Password- Authentication Protocols: Traditional password protocols are 
susceptible to off-line dictionary attacks: Many users choose passwords of rel- 
atively low entropy, so it is possible for the adversary to compile a dictionary 
of likely passwords. Obviously, we can’t prevent the adversary from trying the 
passwords on-line, but such an attack can be made infeasible by simply placing a 
limit on the number of unsuccessful authentication attempts. On the other hand, 
an off-line search through the dictionary is quite doable. Here is an example an 
attack against a simple challenge-response protocol: The adversary overhears a 
challenge R and the associated response f{P, R) that involves the password. Now 
she can go off-line and run through all the passwords P' from a dictionary of 
likely passwords, comparing the value f{P', R) with f{P, R). If one of the values 
matches the response, then the true password has been discovered. 

A decade ago, Lomas et.al. [23] presented the first protocols which were 
resistant to these types of off-line dictionary attacks. The protocols assumed 
that the client had the server’s public key and thus were not strictly password- 
only protocols. Other protocols for this scenario were developed in [19,20,12]. 

The EKE protocol [8] was the first password authenticated key exchange 
protocol that did not require the user to know the server’s public key. The 
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idea of EKE was to use the password to symmetrically encrypt the protocol 
messages of a standard key exchange (e.g., Diffie-Hellman [15]). Then an attacker 
making a password guess could decrypt the symmetric encryption, but could 
not break the asymmetric encryption in the messages, and thus could not verify 
the guess. Following EKE, many password authenticated key exchange protocols 
were proposed [9,19,18,28,21,22,24,29]. Some of these protocols were, in addition, 
designed to protect against server compromise, so that an attacker that was 
able to steal data from a server could not later masquerade as a user without 
having performed a dictionary attack.^ All of these protocol proposals contained 
informal arguments for security. However, the fact that some versions of these 
protocols were subsequently shown to be insecure [26] should emphasize the 
importance of formal proofs of security. 

Models for Secure Authentication and Key Exchange: Bellare and Ro- 
gaway [4] presented the first formal model of security for entity authentication 
and key exchange, for the symmetric two party case. In [7] they extend it to the 
three party case. Blake-Wilson et.al. [10] further extend the model to cover the 
asymmetric setting. Independently, [25] and [3] present extensions to the model 
to allow for password authentication. Halevi and Krawczyk [20] and Boyarsky 
[12] present models which include both passwords and asymmetric keys (since 
they deal with password-based protocols that also rely on server public keys). 

Bellare, Canetti, and Krawczyk [2] present a different model for security of 
entity authentication and key exchange, based on the multi-party simulatability 
tradition [1]. Shoup [27] refines and extends their model. We present a further 
extension of [27] that includes password authentication. 

3 Model 

For our proofs, we extend the formal notion of security for key exchange protocols 
from Shoup [27] to password-authenticated key exchange. We assume that the 
adversary totally controls the network, a la [4]. 

Security for key exchange in [27] is defined using an ideal system, which 
describes the service (of key exchange) that is to be provided, and a real system, 
which describes the world in which the protocol participants and adversaries 
work. The ideal system should be defined such that an “ideal world adversary” 
cannot (by definition) break the security. Then, intuitively, a proof of security 
would show that anything an adversary can do in the real system can also be 
done in the ideal system, and thus it would follow that the protocol is secure in 
the real system. 

3.1 Ideal System 

Our ideal system follows [27] , except for the addition of password authentication 
and a slight modification to explicitly handle mutual authentication. We assume 

^ Naturally, given the data from a server, an attacker could perform an off-line dictio- 
nary attack, since the server must know something to verify a user’s password. 
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that there is a set of (honest) users, indexed i = 1, 2, . . .. Each user i may have 
several instances j = 1, 2, . . . . Then {i, j) refers to a given user instance. A user 
instance {i,j) is told the identity of its partner, i.e., the user it is supposed to 
connect to (or receive a connection from) . An instance is also told its role in the 
session, i.e., whether it is going to open itself for connection, or whether it is 
going to connect to another instance. 

There is also an adversary that may perform certain operations, and a ring 
master that handles these operations by generating certain random variables 
and enforcing certain global consistency constraints. Some operations result in 
a record being placed in a transcript. 

The ring master keeps track of session keys {Kij} that are set up among 
user instances (as will be explained below, the key of an instance is set when 
that instance starts a session). In addition, the ring master has access to a 
random bit string R of some agreed-upon length (this string is not revealed 
to the adversary). We will refer to R as the environment. The purpose of the 
environment is to model information shared by users in higher-level protocols. 

Since we deal with password authentication, and since passwords are not 
cryptographically secure, our system must somehow allow a non-negligible prob- 
ability of an adversary successfully impersonating an honest user. We do this 
by including passwords explicitly in our model. We let tt denote the function 
assigning passwords to pairs of users. To simplify notation, we will write 7 t[A, B] 
to mean 7 t[{A, B}] (i.e., 7 t[A, B] is by definition equivalent to 7r[i?, A]). 

The adversary may perform the following types of operations: 

initialize user [Transcript: ("initialize user", z, /Di)] 

The adversary assigns identity string IDi to (new) user z. In addition, a ran- 
dom password Tr[Wi, IDi^] is chosen by the ring master for each existing user 
i' (see the discussion below on the distribution from which these passwords 
are generated). The passwords are not placed in the transcript. This models 
the out-of-band communication required to set up passwords between users, 
set password [Transcript: ("set password", z, 7i7, tt)] 

The identity ID' is required to be new, i.e., not assigned to any user. This 
sets 7r[/£)i, /!/] to tt and places a record in the transcript. 

After Iiy has been specified in a set password operation, it cannot be used 
in a subsequent initialize user operation, 
initialize user instance [Transcript: ("initialize user instance", z, j, 
role{i,j), PIDij)] 

The adversary assigns a user instance (z, j) a role (one of {open, connect}) 
and a user PIDij that is supposed to be its partner. If PIDij is not set to an 
identity of an initialized user, then we require that a set password operation 
has been previously performed for z and PIDij (and hence there can be no 
future initialize user operation with PIDij as the user ID), 
terminate user instance [Transcript: ("terminate user instance ",z,j)] 
The adversary specifies a user instance (z, j) to terminate, 
test instance password 

This is called with an instance (z, j) and a password guess tt. The returned 
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result is either true or false, depending on whether tt = Tr[IDi, PIDij\. If 
the result is true, then this query is called a successful guess on {IDi, PIDij} 
(note that a successful guess on {A, B} is also a successful guess on {B, A}). 
This query may only be asked once per user instance. The instance has to be 
initialized and not yet engaged in a session (i.e., no start session operation 
has been performed for that instance). Note that the adversary is allowed to 
ask a test instance password query on an instance that has been terminated. 
This query does not leave any records in the transcript, 
start session [Transcript: ("start session", z, j)] 

The adversary specifies that a session key Kij for user instance (z, j) should 
be constructed. The adversary specifies which connection assignment should 
be used. There are three possible connection assignments: 
open for connection from (i',f). This requires that role{i,j) is “open,” 
(i',f) has been initialized and has not been terminated, role{i',f) is 
“connect,” PIDij = IDi', PIDi'ji = IDi, no other instance is open for 
connection from {i' ,j'), and no test instance password operation has been 
performed on (z, j). The ring master generates Kij randomly. We now 
say that (z, j) is open for connection from (i',j'). 
connect to (i',f). This requires that role{i,j) is “connect,” {i' ,f) has 
been initialized and has not been terminated, role{i',f) is “open,” 
PIDij = IDi', PIDi'j' = IDi, (^^J0 open for connection from (z,j) 
after (z, j) was initialized and is still open for connection from (z, j), and 
no test instance password operation has been performed on (z,j). The 
ring master sets Kij = Ki'j'. We now say that {i',f) is no longer open 
for connection. 

expose. This requires that either PIDij has not been assigned to an identity 
of an initialized user, or there has been a successful guess on {IDi, PIDij}. 
The ring master sets Kij to the value specified by the adversary. 

Note that the connection assignment is not recorded in the transcript, 
application [Transcript: ("application", /, /(i?, {ATij}))] 

The adversary is allowed to obtain any information she wishes about the 
environment and the session keys. (This models leakage of session key in- 
formation in a real protocol through the use of the key in, for example, 
encryptions of messages.) The function / is specified by the adversary and 
is assumed to be efficiently computable, 
implementation [Transcript: ("impl", cmzzt)] 

The adversary is allowed to put in an “implementation comment” which does 
not affect anything else in the ideal world. This will be needed for generating 
ideal world views that are equivalent to real world views, as will be discussed 
later. 

For an adversary A*, Ideal World{A*) is the random variable denoting the 
transcript of the adversary’s operations. 

Discussion (Password Authentication): Our system correctly describes the ideal 
world of password authenticated key exchange. If two users successfully complete 
a key exchange, then the adversary cannot obtain the key or the password. This 
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is modeled by the adversary not being allowed any test instance password queries 
on an instance after a successful key exchange. Our ideal model explicitly uses 
(ring master generated) passwords, and an adversary can only obtain information 
about a password by issuing a test instance password query for an instance, 
signifying an impersonation attempt by the adversary against the key exchange 
protocol run by that instance. (One may think of this as modeling an adversary 
who attempts to log in to a server by sending a guessed password.) 

We did not specify how the ring master chooses passwords for pairs of users. 
The simplest model would be to have a dictionary T>, which is a set of strings, and 
let all passwords be chosen uniformly and independently from that dictionary. 
To achieve the strongest notion of security, though, we can give the adversary 
all the power, and simply let her specify the distribution of the passwords as an 
argument to the initialize user operation (the specification of the distribution 
would be recorded in the transcript). The passwords of a user could even be 
dependent on the passwords of other users. We note that our proofs of security 
do not rely on any specific distribution of passwords, and would thus be correct 
even in the stronger model. 

We also model the ability of the adversary to set up passwords between any 
users and herself, using the set password query. This can be thought of as letting 
the adversary set up rogue accounts on any computer she wishes, as long as 
those rogue accounts have different user IDs from all the valid users. 

3.2 Real System with Passwords 

Now we describe the real system in which we assume a password-authenticated 
key exchange protocol runs. Again, this is basically from [27], except that we 
do not concern ourselves with public keys and certification authorities, since all 
authentication is performed using shared passwords. 

Users and user instances are denoted as in the ideal system. User instances 
are defined as state machines with implicit access to the user’s ID, PID, and 
password (i.e., user instance (z, j) is given access to Tr[IDi, PIDij]). User instances 
also have access to private random inputs (i.e., they may be randomized). A 
user instance starts in some initial state, and may transform its state only when 
it receives a message. At that point it updates its state, generates a response 
message, and reports its status, either “continue”, “accept”, or “reject”, 
with the following meanings: 

— “continue”: the user instance is prepared to receive another message. 

— “accept”: the user instance (say (z, j)) is finished and has generated a ses- 
sion key Kij. 

— “reject”: the user instance is finished, but has not generated a session key. 

The adversary may perform the following types of operations: 

initialize user [Transcript: ("initialize user", z, /A)] 

initialize user instance [Transcript: ("initialize user instance", z, j, 

role{i,j), PIDij)] 
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set password [Transcript: ("set password", i, /i7, tt)] 
application [Transcript: ("application", /, /(i?, {ATij}))] 

All above as in the ideal system. 

deliver message [Transcript: ("impl", "message", z, j, JnMsg, OutMsg, status)] 
The adversary delivers InMsg to user instance (z,j). The user instance up- 
dates its state, and replies with OutMsg and reports status. If status is 
“accept”, the record ("start session", z, j) is added to the transcript, and 
if status is “reject”, the record ("terminate instance", i,j) is added to the 
transcript. 

random oracle [Transcript: ("impl", "random oracle", z, cc, i?i(a;))] 

The adversary queries random oracle z on a binary string x and receives 
the result of the random oracle query Hi{x). Note that we do not allow 
application operations to query random oracles Hi. In other words, we do 
not give higher-level protocols access to the random oracles used by the 
key exchange scheme (although a higher-level protocol could have its own 
random oracles) . The adversary, however, does have access to all the random 
oracles. 

For an adversary A, RealWorld{A) denotes the transcript of the adver- 
sary’s operations. In addition to records made by the operations, the transcript 
will include the random coins of the adversary in an implementation record 
("impl", "coins", coins). 

3.3 Definition of Security 

The definition of security for key exchange given in [27] requires 

1. completeness: for any real world adversary that faithfully delivers messages 
between two user instances with complimentary roles and identities, both 
user instances accept; and 

2. simulatability: for every efficient real world adversary A, there exists an ef- 
ficient ideal world adversary A* such that RealWorld{A) and IdealWorld{A*) 
are computationally indistinguishable. 

We will use this definition for password-authenticated key exchange as well.^ 

4 Explicit Authentication: The PAK Protocol 

4.1 Preliminaries 

Let K and £ denote our security parameters, where k is the “main” security pa- 
rameter and can be thought of as a general security parameter for hash functions 

^ We can do this because our ideal model includes passwords explicitly. If it did not, we 
would have to somehow explicitly state the probability of distinguishing real world 
from ideal world transcripts, given how many impersonation attempts the real world 
adversary has made. 
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Fig. 1. PAK protocol, with tt = 7t[A, i?]. The resulting session key is K. If a 
“Test” returns false, the protocol is aborted. 



and secret keys (say 128 or 160 bits), and £ > k can be thought of as a security 
parameter for discrete-log-based public keys (say 1024 or 2048 bits). Let {0, 1}* 
denote the set of finite binary strings and {0, 1}” the set of binary strings of 
length n. A real-valued function e(n) is negligible if for every c > 0, there exists 
Uc> 0 such that e{n) < l/n° for all n > Uc- 

Let q of size at least k and p of size £ be primes such that p = rq + 1 for 
some value r co-prime to q. Let g be a generator of a subgroup of Z* of size q. 
Call this subgroup Gp,^. We will often omit “ modp” from expressions when it 
is obvious that we are working in Z*. 

Let DH(A, Y) denote the Diffie-Hellman value g^^ of X = g^ and Y = g^ . We 
assume the hardness of the Decision Dijfie- Heilman problem (DDH) in Gp^q. One 
formulation is that given g, X, Y, Z in Gp^q, where X = g^ and Y = g^ are chosen 
randomly, and Z is either DH(A, Y) or random, each with half probability, 
determine if Z = DH(A, Y). Breaking DDH implies a constructing a polynomial- 
time adversary that distinguishes Z = DH(A, Y) from a random Z with non- 
negligible advantage over a random guess. 



4.2 The Protocol 

Define hash functions H2a, H3 : {0, 1}* ^ {0, 1}'' and Hi : {0, 1}* ^ 
{0,1}'' (where rj > £ + k). We will assume that H\, H^a, H^b, and H^ are 
independent random functions. Note that while Hi is described as returning a 
bit string, we will operate on its output as a number modulo p. 

The PAK protocol is given in Figure 1. 

Theorem 1. The PAK protocol is a secure password-authenticated key exchange 
protocol in the explicit- authentication model. 
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Proof: (Sketch) The completeness requirement follows directly by inspection. 
Here we sketch the proof that the simulatability requirement holds. Complete 
details are presented in the full paper [13]. The basic technique is essentially that 
of Shoup [27] . The idea is to create an ideal world adversary A* by running the 
real world adversary A against a simulated real system, which is built on top of 
the underlying ideal system. In particular, A* (i.e., the simulator combined with 
A) will behave in the ideal world just like A behaves in the real world, except 
that idealized session keys will be used in the real world simulation instead of 
the actual session keys computed in the real system. 

Thus, our proof consists of constructing a simulator (that is built on top 
of an ideal system) for a real system so that the transcript of an adversary 
attacking the simulator is computationally indistinguishable from the transcript 
of an adversary attacking the real system. 

Simulator. The general idea of our simulator is to try to detect guesses on 
the password (by examining the adversary’s random oracle queries) and turn 
them into test instance password queries. If the simulator does not detect a 
password guess, then it either sets up a connection between two instances (if all 
the messages between them have been correctly relayed), or rejects (otherwise). 
The main difficulty in constructing the simulator is that we need to respond 
to the adversary’s requests without knowing the actual passwords. This causes 
us to use random values in place of the results of those random oracle calls 
that take the password as an argument. We can think of these as “implicit” 
oracle calls. In handling the adversary’s explicit random oracle queries, as well 
as those protocol operations that use random oracles, we need to make sure that 
we don’t use inconsistent values for the result of a random oracle on a certain 
input. Specifically, we must make sure the random oracle queries to H 2 a and H 2 b 
are consistent with the k and k' values sent or received by the user instances. 
This is relatively straightforward (using test instance password queries) except 
when the adversary sends a p, value back to an initiator instance. To be able to 
determine the password being tested by the adversary in this case, we will make 
sure the simulator has answered each Hi{A, B,tt) query using a random value 
for which it knows the discrete log (after that value is raised to the r). 

Indistinguishahility. The simulation described above is indistinguishable from 
the real world as long as the simulator does not need to perform a test instance 
password query that is disallowed in the ideal world. Specifically, by the rules of 
the ideal world, (1) only one of these queries can be made for each user instance, 
and (2) the query cannot be made at all for any instance that performs a start 
session operation (previously or in the future). So to finish our proof, we need to 
show that if the adversary can break either rule with non-negligible probability, 
then we can break the DDH Assumption with non-negligible probability. 

The idea of the proof of (2) goes as follows. Say that the offending query is 
made within the first T queries. (T is bounded by the adversary’s running time 
and must be polynomial.) Take a DDH challenge {X, Y, Z). Run the simulation 
(playing the ringmaster also, i.e., choosing our own passwords) with the following 
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changes: Choose a random d € [ 0 , T] . On the dth deliver message query to initiate 
a protocol, say for users A and B, set m = X. For any B instance that receives 
m = X, set gL = Ygy for some random y. If the adversary makes a query to i?2a> 
i?26, or i?3 with A, B,m, a, y as calculated above, a, and tt, where a = ZX^ / 
for the discrete log of {Hi{A, B, tt))’’, guess that the DDH challenge is a true 
DH instance. All other queries are answered in a straightforward way, except 
that the adversary may make a valid password guess using its own y and a, 
for which the simulator cannot verify the a value (because the simulator does 
not know the discrete log of X). In this case we flip a coin to decide whether to 
accept or not, and continue the simulation. It can be shown that if the adversary 
is able to break this ideal world rule with probability e, then we will give a correct 
response to the DDH challenge with probability roughly 5+4^. (The 4 in the 
denominator comes from the half probability of the DDH challenge being a true 
DH instance and the half probability of a correct coin flip.) 

The idea of the proof of ( 1 ) goes as follows. Say that the offending queries 
occur within the first T queries. Let the DDH challenge be {X,Y,Z). Run the 
simulation (playing the ringmaster also) with the following changes: Choose a 
random d G [ 0 ,T]. Assume the bad event will occur for the dth pair of users 
mentioned (either in an Bi(A, B, ■) query or an initialize user instance with A 
and partner B) Each time Hi{A, B,tt) is queried for some tt, flip a coin to decide 
whether to include a factor of X in the return value. For any first message to 
a B instance with partner A, set y = Y g^ for some random y. Note that the 
a values used in any pair of i?2a, and H3 queries for the same A, B, m, n 
(where y was calculated as Yg^), and using two different password guesses (tti 
and 712) can be tested against the Z value if exactly one of Hi{A, B,tti) and 
Hi{A, B,tt2) included a factor of X in its calculation. If any of these pairs tests 
positively for the Z value, guess that the DDH challenge is a true DH instance. 
All other queries are answered in a straightforward way. It can be shown that 
if the adversary is able to break this ideal world rule with probability e, then 
we will give a correct response to the DDH challenge with probability roughly 
5 + • (The 4 in the denominator comes from the half probability of the DDH 

challenge being a true DH instance and the half probability of the adversary 
making queries for two passwords in which exactly one included a factor of X 
in the Hi{) calculation.) □ 

5 Implicit Authentication: The PPK Protocol 

We first describe an Ideal System with Implicit Authentication, and then de- 
scribe the PPK protocol. Note that we still use the Real System from Section 3 . 2 . 

5.1 Ideal System with Implicit Authentication 

Here we consider protocols in which the parties are implicitly authenticated, 
meaning that if one of the communicating parties is not who she claims to be, 
she simply won’t be able to obtain the session key of the honest party. The 
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honest party (which could be playing the role of either "open" or "connect") 
would still open a session, but no one would be able to actually communicate 
with her on that session.^ Thus, some of the connections may be “dangling.” We 
will allow two new connection assignments: 

dangling open. This requires role{i,j) to be “open.” 
dangling connect. This requires role{i,j) to be “connect.” 

In both cases, the ring master generates Kij randomly. 

To use implicit authentication with passwords, we will make the following 
rules: 

— Dangling connection assignments are allowed even for instances on which 
the test instance password query has been performed. 

— A test instance password query is allowed on an instance, even if it has 
already started a session with a dangling connection assignment. 

We still restrict the number of test instance password queries to at most one per 
instance. The rules relating to other connection assignments do not change. 

The reason for this permissiveness is that an instance with a dangling con- 
nection assignment can’t be sure that it wasn’t talking to the adversary. All that 
is guaranteed is that the adversary won’t be able to get the key of that instance, 
unless she correctly guesses the password. 

In practice, this means that we can’t rule out an unsuccessful password guess 
attempt on an instance until we can confirm that some partner instance has ob- 
tained the same key. It follows that if we are trying to count the number of 
unsuccessful login attempts (e.g., so that we can lock the account when some 
threshold is reached), we can’t consider an attempt successful until we get some 
kind of confirmation that the other side has obtained the same key. We thus see 
that key confirmation (which, in our model, is equivalent to explicit authentica- 
tion) is indeed relevant when we use passwords. 



5.2 PPK Protocol 

If we don’t require explicit authentication, we can make a much more efficient 
protocol. The PPK protocol requires only two rounds of communication. The 
protocol is given in Figure 2. 

Theorem 2. The PPK protocol is a secure password- authenticated key exchange 
protocol in the implicit- authentication model. 

The completeness requirement follows directly by inspection. The proof of 
simulatability is omitted due to page limits. The basic structure of the proof is 
very similar to that of the PAK protocol. 

® In a later version of [27], Shoup also deals with implicit authentication, but in a 
different way. We feel our solution is more straightforward and intuitive. 
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Fig. 2. PPK protocol, with tt = 7t[^, B], The resulting session key is K. 

6 Resilience to Server Compromise — The PAK-X 
Protocol 

6.1 Ideal System with Passwords — Resilience to Server Compromise 

Now we define a system in which one party is designated as a server, and which 
describes the ability of an adversary to obtain information about passwords 
stored on the server, along with the resultant security. To accomplish this, one 
role (open or connect) is designated as the server role, while the other is desig- 
nated as the client role. We add the test password and get verifier operations, 
and change the start session operation. 

test password 

This query takes two users, say i and i' , as arguments, along with a password 
guess 7T. If a get verifier query has been made on {i, t'}, then this returns 
whether tt = Tr[Wi, IDp], If the comparison returns true, this is called a 
successful guess on {IDi, IDp}. If no get verifier has been made on {z, t'}, 
then no answer is returned (but see the description of get verifier below). 
This query does not place a record in the transcript. It can be asked any 
number of times, as long as the next query after every test password is 
of type implementation. (The idea of the last requirement is that a test 
password query has to be caused by a “real-world” operation, which leaves 
an implementation record in the transcript.) 
get verifier [Transcript: ("get verif ier", z, z')] 

Arguments: users z and i'. For each test password query on {z, z'} that has 
previously been asked (if any), returns whether or not it was successful. If 
any one of them actually was successful, then this get verifier query is called 
a successful guess on {/A, IDp}- Note that the information about the success 
or failure of test password queries is not placed in the transcript, 
start session [Transcript: ("start session", z, j)] 

In addition to the rules specified previously, a connection assignment of ex- 
pose for client instance (z, j) is allowed at any point after a get verifier query 
on users z and i' has been performed, where IDp = PIDij. 



Test m ^ 0 mod p 
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The test password query does not affect the legality of open and connect 
connection assignments. 

6.2 Real System — Resilience to Server Compromise 

In a real system that has any resilience to server compromise, the server must 
not store the plaintext password. Instead, the server stores a verifier to verify 
a user’s password. Thus, the protocol has to specify a PPT verifier generation 
algorithm VGen that, given a set of user identities {A, B}, and a password tt, 
produces a verifier V . 

As above for 7 t[A, B], we will write V[A, B] to mean P[{A, B}]. 

A user instance (i,j) in the server role is given access to V[IDi, PIDij], A 
user instance (z, j) in the client role is given access to n[IDi, PIDij], 

The changes to the initialize user and set password operations are given here: 
initialize user [Transcript: ("initialize user", z, /A)] 

In addition to what is done in the basic real system, V[IDi, /A'] = 
VGen{{IDi, /A'}, ’’"[/A, IDi^]) is computed for each i' . 
set password [Transcript: ("set password", z, /A, tt)] 

In addition to what is done in basic real system, V[IDi, ID'] is set to 
VGen{{IDi,ID'),TJ:). 

We add the get verifier operation here: 

get verifier [Transcript: ("get verif ier", z, z'), followed by ("impl", 
"verifier", z, z', V[IDi, /A'])] 

The adversary performs this query with z and i' as arguments, with 
P[/AAA'] being returned. 

6.3 PAK-X Protocol 

In our protocol, we will designate the open role as the client role. We will use A 
and B to denote the identities of the client and the server, respectively. In addi- 
tion to the random oracles we have used before, we will use additional functions 
Hq : {0, 1}* ^ {0, and Hq : {0, 1}* ^ {0, which we will assume 

to be random functions. The verifier generation algorithm is 

PG'en({A,i?},7r) = 5"[^-®l, 

where we define v[A, B] = iJo(niin(A, i3), max(A, i?), tt) (we need to order user 
identities, just so that any pair of users has a unique verifier). 

The PAK-X protocol is given in Figure 3. 

Theorem 3. The PAK-X protocol is a secure password-authenticated key ex- 
change protocol in the explicit- authentication model, with resilience to server 
compromise. 

The completeness requirement follows directly by inspection. The proof of 
simulatability is omitted due to page limits. (The technique that allows us to 
perform authentication where the server stores a verifier instead of the password 
itself is similar to the technique developed independently in [17] to obtain an 
efficient encryption scheme secure against an adaptive chosen-ciphertext attack.) 
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Fig. 3. PAK-X protocol, with tt = 7t[A, B], v = w[A, B], and V = V[A, B], The 
resulting session key is K. 
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Abstract. Cryptography is more and more concerned with elaborate 
protocols involving many participants. In some cases, it is crucial to be 
sure that players behave fairly especially when they use public key en- 
cryption. Accordingly, mechanisms are needed to check the correctness 
of encrypted data, without compromising secrecy. We consider an op- 
timistic scenario in which users have pairs of public and private keys 
and give an encryption of their secret key with the public key of a third 
party. In this setting we wish to provide a publicly verifiable proof that 
the third party is able to recover the secret key if needed. Our emphasis 
is on size; we believe that the proof should be of the same length as the 
original key. 

In this paper, we propose such proofs of fair encryption for FI Gamal and 
RSA keys, using the Paillier cryptosystem. Our proofs are really efficient 
since in practical terms they are only a few hundred bytes long. As an 
application, we design a very simple and efficient key recovery system. 



1 Introduction 

In some cryptographic applications it is crucial to be sure that players behave 
fairly, especially when they use public key encryption. For example, we can 
consider a voting scheme where each player encrypts the name of his favorite 
candidate. It can be useful to convince anybody that the encrypted name is 
indeed in the list of the candidates without revealing any information about this 
name. Accordingly, mechanisms are needed to check the correctness of encrypted 
data, without compromising secrecy. 

We consider an optimistic scenario in which users have pairs of public and 
private keys and give an encryption of their secret key with the public key of 
a third party. In this setting we wish to provide a publicly verifiable proof that 
the third party is able to recover the secret key if needed. We use the term 
fair encryption for such a verifiable encryption. Note that the third party is 
not involved during encryption or during verification of the proof. In optimistic 
systems like [1], the third party is active only in case of dishonest behavior of 
one participant; it is implicitly assumed that the knowledge that the third party 
is able to solve any conflict is enough to deter anybody from cheating. 

Our emphasis is on size; we believe that the proof should be approximately 
of the same length as the original key. Consequently, general techniques of zero- 
knowledge proofs cannot be used and we have to design specific proof systems 
which are very efficient. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 172-189, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 




Fair Encryption of RSA Keys 173 



Previous Work. 

Publicly verifiable encryption is not a new concept and it has been used in appli- 
cations like secret sharing or key escrow. In 1998, Young and Yung [29] proposed 
auto-recoverable auto-certifiable public key cryptosystems based on verifiable 
encryption of secret keys using double decker exponentiation which makes the 
proofs efficient but certainly not really practical, in a natural sense that is defined 
below. Furthermore, this system does not separate the recoverability verification 
from the ability to certify public keys.^ 

Efficient vs Practical Protocols. 

Following the tradition of complexity theory, cryptographers generally consider 
that a protocol is “efficient” when both its running time and the size of the 
transmitted data are polynomial in some typical parameters such as the bit 
length of the integers in use and other security parameters. This approach enables 
to eliminate non polynomial schemes that are obviously not usable in practice 
but those which survive cannot necessarily be considered practical. For example 
we can think about general multi-party computation protocols. 

In this paper, we focus on protocols that are efficient but also really practical. 
As an example, let us consider the Fiat-Shamir identification scheme [10]; if 
we note k the security parameter and j the size of used integers, its time 
complexity is (fc x j lb^) the communication complexity measuring the 
size of the exchanged data is (fc x j jj^). Thus this protocol is efficient but not 
very practical. As another example, the Schnorr scheme [24] is efficient and even 
practical since its time complexity is (j and its communication complexity 
is (fc + I lb)i the security parameter fc may be raised with only a modest 
increase in size. 

Our aim is to design proof systems that are practical at least in terms of 
communication, i.e. such that the size of the proofs are of the same order than 
the size of the underlying objects. This is motivated by the scenario that we 
have in mind since we wish to turn our proofs into non interactive “certificates” . 
In this setting, the optimization of the size of transmitted data is of crucial 
importance. 

Our Results. 

In this paper, we propose proofs of fair encryption for secret keys of any encryp- 
tion scheme based on the discrete logarithm problem or on the intractability of 
the factorization, including RSA and its variants. The asymmetric secret keys 
are encrypted using any homomorphic public key cryptosystem like those of 
Naccache-Stern [17], Okamoto-Uchiyama [18] or Paillier [19]. In this paper we 
only focus on the Paillier scheme but we can immediately adapt the protocols in 
order to use the Okamoto-Uchiyama cryptosystem which onewayness is based on 
the well studied factorization problem instead of the new one introduced in [19]. 

More precisely, we give a protocol to prove that a ciphertext enables a third 
party to recover the El Gamal secret key related to a public one. Such a proof is 
very short and the workload of the third party during recovery is very small. We 

Those results have been recently improved in [30]. See also [27]. 



1 




174 Guillaume Poupard and Jacques Stern 



also propose a scheme for fair encrypting the factorization of a public modulus. 
Such a proof is also very small but the workload of the third party is much 
more important than for El Gamal keys since, from a theoretical point of view, 
the recovery time and the cheating time are polynomially related. However, we 
describe practical parameters to show that actual applications are feasible. 

Finally, as an application, we design a very simple and efficient key recovery 
system that can be used with any kind of keys, including RSA keys. We propose 
the first non-interactive proof of recoverability of RSA keys short enough (a few 
hundred bytes) to be appended as a certificate to any ciphertext. A consequence 
is that the recoverability verification is no longer performed by the certification 
authority. Consequently, this approach is more flexible than auto-recoverable 
cryptosystems [29] and more secure than binding cryptography [28] . 

Those results follow from a careful analysis of previously proposed building 
blocks: homomorphic cryptosystems based on exponentiation modulo composite 
integers, the so-called bounded range commitment schemes that tries to prove the 
knowledge of a discrete logarithm in a given range and short proofs of knowledge 
for factoring proposed in [23] . 

Outline of the Paper. 

In section 2 we describe notations and give a precise description of the three 
building blocks: trapdoor discrete logarithm cryptosystems, Diophantine com- 
mitment and short proof of knowledge for factoring. Security proofs for those 
two last protocols appear in appendix. Next, in section 3, we describe our fair 
encryption protocols first for El Gamal and then for RSA. Finally, in section 4 
we show how fair encryption enables the design of very simple and efficient key 
escrow systems. 



2 Preliminary Tools 

Throughout this paper, we use the following notation: for any integer n, 

- we use (n) to denote the Euler totient function, i.e. the cardinality of Z„*, 

- we use (n) to denote Garmichael’s lambda function defined as the largest 
order of the elements of Z„* . 

It is well known that if the prime factorization of an odd integer n is OILi 
then (n) = OLi i “ 1) and (n) = lcmi=i...^ ( i - 1)). 

For any integer , | [^^ = ([log 2 ( )J -I- 1) is the number of bits of . Finally, 
a prime number p is a strong prime if p = 2p' -|- 1 and p' is also prime. Our 
computing model is the probabilistic polynomial time Turing machine (Pptm), 
whose running time is a polynomial in specified parameters. 



2.1 Homomorphic Cryptosystems 

Various cryptosystems which encrypt a message by raising a base to the 
power modulo some integer have been proposed [15,3,17,18,19]. Their security 
is related to the intractability of computing discrete logarithm in the base . As 
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usual, the computation becomes easy using a trapdoor. As an important conse- 
quence of this encryption technique, those schemes have homomorphic properties 
that can be informally stated as follows: 

( 1 + 2 )= ( i)x ( 2 ) and (fcx )= ( )'= 



The early examples of such schemes could only achieve bit by bit encryp- 
tion [15] or had very limited bandwidth [3]. However, recently, three cryp- 
tosystems with significant bandwidth have been proposed: one by Okamoto and 
Uchiyama [18] based on the exponentiation modulo ^ of messages from Zp 
where and are prime numbers, the second by Naccache and Stern [17] based 
on the exponentiation modulo of messages from with a a smooth divisor 
of ( ) and finally a proposal of Paillier [19] which extends the system of [18] 

by using exponentiation modulo ^ ^ and messages from Zpg. In the following, 
we only describe protocols based on the Paillier cryptosystem but we insist on 
the fact that any of those three cryptosystems could be used. 

The Paillier cryptosystem is based on the properties of the Carmichael lambda 
function in Zjys*. We recall here the main two properties: for any w G ljq- 2 * , 

yj\(N) _ 2 ^ _ 2 mod 



Key Generation. Let be an RSA modulus = x , where and are 

prime integers s.t. gcd( ( )) = 1. Let be an integer of order multiple of 
modulo The public key is ( ) and the secret key is ( ). 



Encryption. To encrypt a message € ’Em, randomly choose u in Z^r* and 
compute the ciphertext = ^ x mod 



Decryption. To decrypt , compute = 



( mod 



mod where 



and computes 



( mod 

the -function takes as input an element equal to 1 modulo 

iu) = 

The integer mod ^ is equal to 1 modulo so there exists € Z^r such 
that '’'(^1 = 1-1- mod Furthermore, we note that = ( mod ^). 

Consequently, ^ = (l-g 

So X ( mod 



= 1 + 



mod 



Security. It is conjectured that the so-called composite residuosity class prob- 
lem, that exactly consists in inverting the cryptosystem, is intractable. The se- 
mantic security is based on the difficulty to distinguish residues modulo ^ . 
We refer to [19] for details. 



2.2 Diophantine Commitment 

In 1989, Schnorr [24] proposed his famous signature scheme which may be viewed 
as proof of knowledge of a discrete logarithm modulo a prime number. Since then, 
many authors have tried to adapt the scheme in order to add control over the 
size of the secret value. Such a hounded-range commitment has many applica- 
tions and it has been used for group signature by Camenisch and Michels [6] , for 
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electronic cash by Chan, Frankel and Tsiounis [8], for verifiable secret sharing 
by Fujisaki and Okamoto [12] and finally for proving that a modulus is the prod- 
uct of two safe primes by Camenisch and Michels [7]. However no satisfactory 
solution has appeared at the moment^. Known proposals are only able to prove 
that the discrete logarithm is not “too far” from a fixed range, their analysis is 
complex (and sometimes erroneous as in the Eurocrypt ’98 version of [8]) and 
their security is often based on non-standard assumptions such as the so-called 
“strong RSA assumption” needed to make proofs efficient. In this paper, we 
adopt a totally different strategy in the analysis of bounded-range commitment 
schemes. 

Let ^ be a multiplicative finite group. As an example of such a group, in the 
next sections we use groups of unknown order Q = Zj^ 2 * where is an RSA 
modulus. Let be an integer and be an element of Q. We consider a player 
who has a secret integer that lies in the range [0 [ and who computes, in Q, 

the public value F = 

We do not know how to prove the knowledge of a discrete logarithm in the 
range [0 [ of F in base . Consequently we only prove a weaker property. Let 

and be two parameters whose values are analyzed later. We describe a practical 
statistically zero-knowledge interactive proof of knowledge of ct €] — [ and 

r €]0 [ such that = F” in Q. It should be clear that we do not prove the 

knowledge of € [0 [ such that F = However, in practice, the prover needs 

to know such an in order to be able to perform the proof. 

Protocol 1 : The following round is repeated £ times. At each round, 
the prover randomly chooses an integer in [0 [ and computes the 

commitment = ” in Then he sends to the verifier who answers a 

challenge randomly chosen in [0 [. The prover computes = -I- 

(an integer in Z) and sends it to the verifier who checks = ^ x F“® 

in Q and 0 < < 

A security analysis of this scheme is proposed in appendix A. Note that this 
protocol is similar to previous proposals for bounded-range commitment [6,8,12,7] 
but that the analysis is really different and does not use non-standard hypothesis 
like the strong-RSA assumption. 

Let us summarize the security results. A prover who knows € [0 [is 
accepted with probability higher than 1 — £ so must be much larger 

than £ in order to make the protocol correct. Furthermore, the protocol is 
sound, i.e. a prover who convinces a verifier with probability higher that 1 ^ 

must know cr g] — [ and r g] 0 [ such that ”’ = F”. Finally, in the 

complexity theory setting, if we consider a security parameter k and if all the 
parameters , , and £ are viewed as functions of k, the protocol is statistically 

zero-knowledge if ^ x is polynomial in k and if £ is negligible. 

When is chosen, the choice of the remaining parameters is directed by 
those results. From a theoretical point of view, if we consider that the security 

Last minute: see F. Boudot’s paper [5] in this volume, pp. 431-444. 
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parameter k is related to the cheating probability 1 2^ for an adversary, the 
soundness implies that ^ > 2^. Furthermore, the protocol is zero-knowledge 
if it can be simulated in polynomial time. Since the time complexity of the 
simulation is {£x ), the parameters i and must be polynomial in k. Finally, 

the correctness and the zero-knowledge property show that must be such that 
^ is negligible. 

From a practical point of view, we can fix the security parameter k to 80 for 
example. If | 1,3 = 160, the following practical values for the other parameters 
are reasonable: = 2^°, ^ = 4, = = 2^®^. 

Let be the order of in Note that the relation '^ = does not even 
imply the existence of a discrete logarithm for F with base but, if F = ^ mod 

we have t = a mod and consequently = ct x ( — — r ) mod — — r. 

■ ^ ^ \ gca(r,a;) J gca(r,a;) 

The Diophantine commitment can be made non-interactive using the Fiat- 
Shamir heuristic [10]. The verifier’s challenge is replaced with the hash value of 
the commitment and of the public data using a collision-resistant hash function 
. It is widely believed that such a transformation guarantees an accurate level 
of security as soon as is random enough. Furthermore, the security of this 
approach can be formalized using the random oracle model [20] . 



2.3 Short Proof of Knowledge for Factoring 

Proofs of knowledge for the factorization of an integer n have been known for a 
long time. But, even if they are claimed efficient according to complexity theoret- 
ical arguments, none of them can be considered practical for many applications 
because of their significant communication complexity: the proof is much longer 
than the object it deals with. 

A new strategy have been used in [23] . The protocol is a proof of knowledge 
of a small common discrete logarithm of ” mod n for a few randomly chosen 
elements modulo n. This scheme is very efficient; when suitably optimized, 
its communication complexity is only (fc -|- |n|^,) bits, where fc is a security 
parameter. In this setting, the size of the proof is similar to the size of the 
integer n. The improvement in comparison with the previously known schemes 
can therefore be compared with the difference of efficiency between the Fiat- 
Shamir scheme and the Schnorr one. Furthermore, the computational complexity 
is proved to be ((|n|^,-|-fc) x fc) multiplications modulo n both for the prover and 
the verifier but strong heuristic evidence shows that ((|?T^lb + ^) ^ ^ logfc) is 
enough. This might appear a small improvement but it has drastic consequences 
in practical terms: only three modular exponentiations both for the prover and 
the verifier are needed to obtain a very high level of security. 

Protocol 2 : First the prover and the verifier agree on mutually ran- 
domly chosen integers i € for i = 1 . Then the following elemen- 

tary round is repeated i times. The prover randomly chooses an integer 
in [0 [ and computes, for i = 1 , the commitments i = [ mod n. 
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Then he sends the jS to the verifier who answers a challenge randomly 
chosen in [0 [. The prover computes = + {n — (n)) x (in Z) 

and sends it to the verifier who checks 0 < < and, for i = 1 , 

v—nxe 1 

f = j mod n. 



A security analysis of this scheme appears in [23]. The choice of the param- 
eters ^ and must be such that ^ > 2^, where fc is a security parameter, in 
order to make the protocol sound. Furthermore, the parameter must be much 
larger than (n— (n))£ to guarantee the completeness and the zero-knowledge 
property but must also be smaller than n to guarantee the soundness. Con- 
sequently, n must verify (n — (n))£ <C n. For the applications we consider 

in this paper, such a proof is used to prove the knowledge of integers like RSA 
modulus with large prime factors so this condition is always satisfied. Note that 
if n has small prime factors, the proof is no longer zero-knowledge but it is still 
sound so a prover cannot try to cheat choosing an integer n with small factors. 
Such a choice would only compromise his own security. 

Using classical techniques, the commitments i can be hashed. This trick 
makes the communication complexity independent of . Accordingly, the pro- 
tocol is really practical in term of communication whatever may be. Further- 
more, the proof can be made non-interactive; the i are chosen by means of a 
hash function repeatedly applied to the integer n and the verifier’s challenge 
is replaced with the hash value of the commitments and of the public data. The 
size of such a proof is very small in practice, i.e. similar to the size of n. 



3 Fair Encryption of Secret Keys 

We consider a third party who chooses his own private and public keys in the 
Paillier cryptosystem. Let ( ) be his public key. We also consider a user who 

has a pair ( ) of related secret and public keys for any cryptosystem (not 

necessarily Paillier’s one). A fair encryption of consists of a ciphertext F 
and of a non-interactive proof of fairness; F encrypts some secret data related 
to with the public key of the third party and the proof convinces anybody 
that the third party is able to recover using , F and his Paillier secret 
key. 

Note that the third party is not involved in the process of fair encryption or 
during verification of the proof of fairness. As in many “optimistic” systems like 
[1], the third party is active only in case of dishonest behavior of one participant; 
it is implicitly assumed that the knowledge that the third party is able to solve 
any conflict is enough to deter anybody from cheating. 

We propose fair encryption scheme for secret keys of all known public key 
encryption schemes based on the discrete logarithm problem or on the difficulty 
of factorization. We first give the application to the case of El Gamal keys. Then, 
we study the case of RSA keys. 
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3.1 Fair Encryption of El Gamal Type Keys 

A fair encryption of an El Gamal secret key consists of an encryption F of , 
obtained with the public key of a third party, and of a publicly verifiable non- 
interactive proof that the third party would be able to recover from F and if 
needed. Such systems have already been proposed (see for example the attempt 
in [2]) but we explain at the end of this section why previous solutions are not 
satisfactory. Note that, in order to simplify the presentation of the protocol, we 
only consider non-randomized Paillier scheme but a semantically secure version 
can be used as shown in the next section for the case RSA case. 

A third party first chooses his public key ( ) and the related private key 

to be used with the Paillier cryptosystem, i.e. = an RSA modulus and 

an element of order multiple of in IjqF . Let us further consider a strong 
prime number p = 2 -|- 1 and a generator of Zp* . Each user chooses a private 
key G Zp_i and computes his public key = ® mod p. In order to make a 
fair encryption of his secret key , he computes the ciphertext F = ® mod ^ 

and a non-interactive proof of third party’s ability to compute from and F. 
We now describe an interactive version of such a proof that will further be made 
non-interacti ve . 

We define = p—1 and Q = Zj^ 2 * . Let , and i be Diophantine commit- 
ment parameters as described in section 2.2. 

Protocol 3 : 

The following round is repeated £ times. At each round, the prover ran- 
domly chooses an integer in [0 [ and sends the commitment = 

(/’’’ mod ^ ’’ mod p) to the verifier who answers an integer ran- 
domly chosen in [0 [. The prover computes = -I- and sends it 

to the verifier who checks = ( ^ x mod ^ ^ x mod p) and 

0 < < . 

This protocol runs in parallel the Girault scheme [13] analyzed in [22] and 
Diophantine commitment. Just as for each of the two schemes separately, we 
can prove correctness and statistical zero-knowledge property provided i 
is negligible and £ x is polynomial in the security parameter k. Furthermore, 
if a prover is accepted with probability >1 ^ then he must know (ct r) with 

|(t| < , 0 < r < , °' = F'^ mod ^ and mod p. In other words, if an 

adversary viewed as a probabilistic Turing machine is accepted with probability 
> 1 we can use it in order to make an extractor that computes such a 
pair (ct r). 

Theorem 1. The third party can recover a fair encrypted secret key from 
and F in time (| |) if the recoverability proof is valid, provided > 2^/2 

Proof: First note that the discrete logarithm of in base modulo p, i.e. the 
secret key related to the El Gamal public key , exists because generates 
Zp*. The proof associated with the encryption F shows that there exists (ct r) 
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such that ^ modp so we have a = rlogg modp — 1. As = {p — 

1 ) 2 is a prime number, we obtain a = r x mod , where = gcd((T r). 
Consequently, the knowledge of (<t r ) enables to recover because we can 
compute 0 = {<J ) x (r ) ^ = (Jq x mod and the secret key mod p—1 

is 0 or 0 + • 

Finally, it is enough to show that a third party can recover (cto tq) = 
(<T r ) from F and . We show that this can be efficiently done, provided 

> 2^/2 . 

mod 

First, he decrypts F and obtains 7 = — — — mod so F^^^> = 

( A(iVJ jjjod 

■y\{N) ^ Since = F~^ mod the previous equation implies <t — yr = 0 mod 

. Let us consider the solutions of the equation — 7 =0 mod where and 
are the unknowns. They are elements of a lattice with basis (( 0) (7 1)). Since 

the dimension of the lattice is 2, we can use Gauss’ algorithm [9, p.23] in order 
to find its shortest vector. When running this algorithm, we need to specify the 
inner product; for the sake of optimization, we replace the standard inner product 
by( )(^0= ' F ^x '. The corresponding norm is ||( )|| = 

a/ 2 2 2"3< Receiving basis (( 0) (7 1)) as its input, the algorithm 

outputs the shortest vector (cto tq) of the lattice. The (unknown) vector [a r) is 
also in the lattice so that ||(<jo to)|| < ||(ct r)|| < yj ^ ^ ^ _ 

This means that |cro| < -\/2 and |ro| < a /2 . 

From the equations — a = yro — cto = 0 mod we obtain ctot = rro 7 = 
(TTo mod . But |(Jor — crrol < |cro||r| + |cr||ro| < 2-\/2 so, if > 2 a/2 , 

(JoT = (TTo in Z. Furthermore, (cto tq) is the shortest vector of the lattice so 
gcd((Jo To) = 1. Finally, the output of the algorithm leads to the computation of 
the pair (ct r ) where if the gcd of a and r. Furthermore, since 0 < r < , 

is less than 

Classical results about the complexity of Gauss’ algorithm (see for example 
[25]) prove that the number of repetitions needed to find (cto tq) is (log( )). 

□ 



As a consequence, the key recovery process is efficient from a theoretical point 
of view. Furthermore, practical experiments confirms very high efficiency since a 
few milliseconds computation can recover the key, whatever the encryption may 
be but provided the proof is valid. 

In conclusion, the protocol is secure both for the prover and the verifier. An 
dishonest verifier cannot obtain any extra information about and if the proof 
is accepted the third party can recover whatever the encryption T, even if 
the prover is dishonest and have unlimited computation power. 



Non-interactive Version and Optimizations. Many well known optimiza- 
tions can be applied to the previous proof. The commitment can be replaced by 
its hash value as described in [14] and it can be precomputed in order to reduce 
the on-line computation to a very simple non-modular arithmetic operation. We 
can also reduce the size of the secret key to about 160 bits as explained in [26]. 
Finally, this proof can be made non-interactive in order to obtain a very short 
certificate of fair encryption. 
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Comparison with Previous Proposals. At first sight, the key recovery pro- 
cedure based on lattice reduction might seem overly intricate. We explain why a 
simple decryption of F (as proposed in [2]) presumably does not always enable 
to recover the secret key. 

Let us consider the following cheating strategy based on the ability to extract 
/-th root, where / is small, without being able to factor. This is a plausible 
assumption as explained in [4]. The (dishonest) prover chooses an , computes 
and r = ® mod ^ . Then he extracts an /-th root F oi F modulo ^ . When 

/ divides the challenge , which happens with probability 1 /, the prover answers 
= -|-( /) . The verification is still correct but, when the third party decrypts 

F, he obtains a value that has nothing to do with the the discrete logarithm of 
Y in base modulo p. 

In order to overcome the difficulty one can use a non-standard intractability 
assumption, the so-called “strong RSA problem”, which appears in several pa- 
pers [12,6]. With our system, under standard assumption, the third party would 
find (7 and r such that ” mod p, since a = { — ') f x = (t /) , and 

consequently the correct value of the secret key as was previously explained. 

3.2 Fair Encryption of RSA Keys 

We now turn to fair encryption of RSA keys. Using Diophantine commitment 
and short proofs of knowledge for factoring, we design a fair encryption system 
which enables the third party to recover the factorization of the RSA modulus, 
even if it is not of a correct form, i.e. if it is not the product of two large 
safe primes of approximately the same length. The originality of our solution, 
in comparison with other proposals is that it does not include any proof that 
the RSA modulus has exactly two different prime factors. This has important 
consequence on efficiency. 

We consider a scenario where each user chooses two fc'-bit prime numbers p 
and and computes his RSA modulus n = p . He also computes = n— (n) = 
p + — 1 and the encryption F = ^ mod ^ . 

We now describe a scheme that enables the user to convince a verifier that 
the third party is able to factor n using F and is Paillier secret key. Let , , 

i and be parameters of short proof of knowledge for factoring as exposed in 
section 2.3. 

Protocol 4 : First the prover and the verifier agree on mutually ran- 
domly chosen integers i G for i = 1 . Then the following basic 

round is repeated £ times. The prover randomly chooses an integer in 
[0 [ and sends the commitment = ( ” mod ^ [ mod ^). 

Then the verifier answers an integer randomly chosen in [0 [. The 

prover computes = -I- and sends it to the verifier who checks 

= ( ^ X mod ^ { y”®” mod n ) and 0 < < 

The protocol is a parallel execution of a Diophantine commitment and of a 
short proof of knowledge for factoring. If a prover is accepted with probability 
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> 1 ^ then, as usual, one can find a round for which he is able to correctly 
answer and ' to different challenges and ' ( > ') following an identical 
commitment . Consequently, for all z = 1 , ® ^ mod n. If we 

note a = — ' , t = — ' and = nr — a, we have 

(T g] — [, r g]0 [, = r'^ mod ^ and, for alH = 1 , f = 1 mod n 

If a and r, and consequently , are known, the same technique as for the proof 
of soundness of protocol 2 shows that the factorization of n can be extracted 
with X I I) multiplications modulo n. 

Theorem 2. The third party can factor n from the fair encryption T in time 
(I I + V ) if the recoverability proof is valid, provided > 2^/2 

Proof: First, using the same procedure as for El Carnal keys, he computes 
(c’o To) = (c T ) with = gcd((T r). Let o be nro — (Jq; since = nr — a = 
X 0 and = gcd(<T r) < |t| < , the third party recovers divided by a 

factor smaller than 

This missing information can be computed using an algorithm which finds the 
order of the jS as follows. For any i, we know that the order of = mod n is 
less than because f = 1 mod n. The -method of Pollard [21] enables to find 
this order in time {\/ ) with memory complexity (1). The idea is to choose a 
randomly looking function / and to iteratively compute i+i = iX 
with 0 = for z = 1 where is a fixed parameter. Then, just remembering 
this last value, we compute = ' . x •'> mod n, with 'q = until we 
find an index ' such that m = ' m' niod n or until ' exceeds a fixed bound. 
If a collision m = ' m' ™od n is found (see [21] for a precise analysis), it leads to 

( M'-l M-1 

+ E 'i) - E *) 

i=0 i=0 

is a multiple of the order of i modulo n. 

Finally, in time fs/ ) and with a small amount of memory, the third party 
recovers and then factors n with high probability. □ 

As a consequence of the time complexity of the algorithm in f\/ ), if 
is exponential in the security parameter k, the extractor is not efficient from 
a theoretical point of view. However, we show in the next sections that the 
parameters and i can be chosen in order to guarantee a high level of security, 
to make the key recovery process feasible by the third party and to have short 
proofs. 

We insist on the fact that our system does not require the modulus n to have 
exactly two factors; a cheating user cannot gain any advantage using a modu- 
lus with three or more factors. Furthermore, the protocol can be immediately 
adapted to cryptosystems like Okamoto-Uchiyama’s where the modulus is not 
an RSA modulus (e.g n = p^ ). 

Remark about Cheating Provers. In order to show why we need a key 
recovery procedure that might seem at first sight overly intricate, we consider a 
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cheating strategy that enables a dishonest prover to encrypt something different 
from n — (n) in F and to give a valid proof. Let / be a factor of (n) and -T 

be mod where a is an integer of about the same size as /. The 

prover follows the protocol but only answers when / divides the challenge ; this 
happens with probability 1 /. In this case he returns = +( f)x{n — a{n)). 
Consequently, verifications are correct because f = [ x x mod 

^ and the last term is equal to 1 because / divides but the third party cannot 
immediately recover the missing factor /. Notice that such a cheating strategy 
implies a workload (/) for cheating but only a workload (VT) for th® third 
party to defeat it. 

Randomized Non-interactive Version. In order to prove the semantic se- 
curity of the Paillier cryptosystem, the encryption has to be probabilistic. This 
can be done by multiplying with mod where u is randomly chosen in 
Zat*: r = X mod We can easily modify our schemes in order to 

use this version of the Paillier scheme. Furthermore, when a third party wants 
to recover a secret key, the randomization does not affect the decryption process 
so that nothing is changed in the key recovery. Finally, the proof can be made 
non-interactive. We obtain the following protocol: 

Protocol 5 : 

Encryption. Choose u € I^n* and compute F = x mod ^ 

Proof of Fairness. 

Choose ( &R [0 f and J Gr 

Compute = (( "^ufmod ( ? mod n) J 

and ( 1 ^) = ( ( j)j=i„K n) 

Compute i = i + i{n — (n)) and / = u®* x Vi mod for i = \ (. 

A non-interactive proof of fairness is a 3f-tuple (( i / i)i=i i) 

Verification. 

Check 0 < i < for i = 1 i 

Compute t = x yi ^ mod ^ mod n) ^ 

Check ( 1 i)= (^' ( j)j=i..K n) 



Fair Encryption of RSA Keys in Practice. This section is more practical 
in character; we consider fair encryption, using protocol 5, for a 1024-bit RSA 
modulus n with two 512-bit prime factors. 

Choice of £ and : The probability of a cheating strategy to succeed during 
a proof of fairness is smaller than 1 ^ so ^ x | must be large enough, e.g. 

^ I lb = m order to guarantee a high level of security. Furthermore, the 
workload for the third party is {V ) in worst cases so may not be too large. 
The choice £ = 2 and = 2^° seems satisfactory. 
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Choice of : This parameter must be smaller than n and much larger than 
(n — (n))£ in order to make proofs of knowledge for factoring secure. Since n 

has two prime factors of about the same size, n — (n) « i/n. Consequently, 
must satisfy 512 + 1 + 40 ^ | < 1024; we advise = 2®^^. 

Choice of : [23] analyzes the choice of and shows, using heuristic argu- 
ments, that = 3 is a good choice. As was already observed, the communication 
complexity of protocol 5 does not depend of . Consequently, the use of = 80 
in order to reach a high level of provable security does not make proofs longer. 

Choice of : The Paillier modulus must satisfies > 2^/2 in order to 
make the key recovery process possible. With the previously advised values of 
parameters and , this means | jj, > 675. Consequently, in order to guarantee 
the security of the Paillier cryptosystem, | = 1024 seems to be a good choice. 

Choice of : The function must be a collision-resistant cryptographic hash 
function; SHA-1 is a good candidate. 

Choice of : The base must be an element of order multiple of modulo 
It is very simple to find such an element. 

Choice of js: The js must ideally be mutually randomly chosen in the inter- 
active setting. In practice, they can be pseudo-randomly generated, using a hash 
function with a formula like j = '( n F ) mod n. 

With those parameters, a complete fair encryption, including the RSA mod- 
ulus n (1024 bits), the encryption F oi n— (n) (2048 bits) and the previously 
described non-interactive proof (2612 bits) is about only 710 bytes long. 

4 Application to Key Recovery Systems 

As an example of application of fair encryption, we now explain its use in de- 
signing very efficient key recovery systems. It must be clear that our aim is not 
to enter into the controversial debate on the notion of key recovery but to give 
an application of fair encryption. The general criticisms against such systems are 
still topical questions. Also, we believe that our notion will find other application, 
e.g. in the areas of electronic cash, voting schemes or lotteries. 

We consider three kinds of participants: users which want to exchange en- 
crypted messages, authorities which are seeking the guaranty that they will 
obtain the decryption of some messages in specific cases and key recovery agents 
able to decrypt ciphertexts when requested by the proper authority. Our key 
recovery systems are designed to be used very easily with any cryptosystem, 
without adding interaction with authorities, third parties or key recovery agents. 
The basic idea consists in appending to any ciphertext a fair encryption F of 
the asymmetric secret key that enables the decryption of . T is encrypted with 
the Paillier public key of a key recovery agent. The proof of fairness provides a 
way for anyone (including authorities, proxies, users, ...) to check the correctness 
of F without interaction with any kind of centralized authority and consequently 
to be convinced that the key recovery agent can actually decrypt 
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Using the Young and Yung setting [29], this leads to the design of auto- 
recoverable auto-certifiable versions of all the cryptosystems based on discrete 
logarithm or on factoring. This includes all variants of RSA, the homomor- 
phic schemes [17,18,19] and many other cryptosystems. But the shortness of our 
proofs, a few hundred bytes, enables more flexible mechanisms where recover- 
ability verification is separated from the ability to certify public keys. It seems 
realistic to append short non-interactive proofs to any encrypted message; this 
leads to a very simple and efficient key recovery system which can be used in 
conjunction with any common cryptosystem. 

We consider a new public key scenario in which each user publicizes is public 
key , a certificate for this key, i.e. a signature of an authority that guarantees 
the authenticity of , and a fair encryption of the secret key related to 
that may enable a key recovery agent to decrypt any ciphertext encrypted with 

. The proof of fairness can be checked by anybody, including people who 
want to send messages encrypted using . In the so-called fair public key 
scenario, the fair encryption of the secret key related to is added to any 
ciphertext encrypted with . Of course, this does not guarantees that it has 
really been encrypted with but the aim of key escrow schemes is only to 
avoid the use of regular public key infrastructure in dishonest ways; we cannot 
avoid simple countermeasure like over-encryption or steganography for example. 
The fair public key scenario can for example be used in a network where servers 
deliver encrypted messages to Alice only if a fair encryption of her secret key is 
added to ciphertexts. 

Note on Shadow Public Keys. Kilian and Leighton have shown in [16] than 
many key escrow schemes can be easily misused by dishonest users. The basic 
idea is to use non-escrowed keys that may be computed from regularly escrowed 
ones. As a first consequence, the secret keys must be jointly generated by users 
and authorities. Furthermore, in the more specific case of the system we propose, 
the proof of fairness should not be used as a subliminal channel to publicize a 
non-escrowed public key. For example, it is easy to fix a few bits, e.g. in the 
i, but we cannot see any way to increase the bandwidth of such a channel to 
transmit enough information. 

Note on Chosen Ciphertext Attacks. All the known cryptosystems based 
on a trapdoor discrete log [17,18,19] are only secure against chosen plaintext 
attacks but not against chosen ciphertext attacks. As an example, if it is possible 
to obtain the decryption of a ciphertext in the Okamoto-Uchiyama system, this 
immediately leads to a multiple of and consequently to the factorization of 
So a “curious” authority can factor just asking the recovery of a single key! 
As a consequence the recovery agent must not reveal recovered keys but only 
decrypted messages. 

With the RSA escrowing scheme, the problem is more subtle because the key 
obtained by the recovery agent are not meaningless since they are the factoriza- 
tion of a large number. Anyway, an attacker could try to use it as an oracle able 
to factor a modulus n = p if and only if = p + — 1 < ; this binary infor- 

mation can be used to recover the exact value of . A dichotomic algorithm can 
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easily bound in such a way that after (| queries, the attacker recovers 
the factorization of 

The Paillier scheme seems much more resistant to such attacks. Of course it 
is not secure against chosen ciphertext attacks since it is malleable. Furthermore, 
we cannot use a non-malleable version since we would no longer be able to make 
proofs. However, we do not know any attack able to recover a Paillier secret key 
by CCA; this is the main reason why we prefer to use this scheme and not the 
Okamoto-Uchiyama cryptosystem. 

Note on Threshold Paillier Scheme. The other reason to use the Paillier 
scheme is that it is the only homomorphic cryptosystem related to be discrete 
log problem for which a threshold distributed version [11] is known. This may 
be of crucial importance for practical applications in order to reduce the trust 
in the recoverability agent. 
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A Security Analysis of Diophantine Commitment 

In order to prove the exact security of Diophantine commitment, the approach 
of Feige, Fiat and Shamir is followed, first proving completeness, then soundness 
and, finally, the zero-knowledge property. 

Theorem 3 (Completeness). The execution of the protocol between an honest 
prover who knows the secret value € [0 [ and a verifier is successful with 

probability higher than 1 — ^ 
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Proof: If the prover knows a secret G [0 [ and follows the protocol, he fails 

only if > at some round of the proof. For any value G [0 [ the probability 

of failure of such an event taken over all possible choices of is smaller than 
. Consequently the execution of the protocol is successful with probability 

Theorem 4 (Soundness). Assume that some adversary is accepted with 
probability ' = 1 ^ + , >0. Then there exists an algorithm which, with 

probability > ^ (6 outputs a pair {a r) with — < a < , 0 < t < and 

'^ = in Q. The expected running time is <2 x t, where r is the average 
running time of an execution of the proof. 

Proof: Assume that some adversary, modeled as a Turing machine ( ) run- 
ning on random tape , is accepted with probability ' = 1 ^ -V ■ We write 

u ( ( 1 i)) G { u f } the result (successful of not) of the identifica- 

tion of ( ) when the challenges i i are used. 

We consider the following algorithm (largely inspired from [24]): 

Step 1. Pick a random tape and a tuple of ^ integers i ^in{0 ~1} 

until u { ). Let u be the number of probes. 

Step 2. Probe up to u random f-tuples ' different from until u ( '). If 

after the u probes a successful ' is not found, the algorithm fails. 

Step 3. Let be one of the indices such that j yf /; we note j and j' 
the related correct answers of . If j > j' the algorithm outputs {a r) = 
{ j — j' j — j'), otherwise it outputs (ct r) = ( j' — j j' — j). 

If this algorithm does not fails, the prover is able to correctly answer two 
challenges j and j' for the same commitment j with the answers j and j' . 
This means that so '^ = T'^ . Furthermore, jcrj < 

and 0 < r < because integers i and / are smaller than and integers i 
and i are different and smaller than 

We now analyze the complexity of the algorithm. By assumption, the proba- 
bility of success of is ' so the first step finds and with the same probability. 
The expected number of repetitions is 1 ' and the number u of probes is equal 

to with probability ' x (1 — ')^“^. 

Let f2 be the set of random tapes such that Pr{u ( )}>^— 2 = 

e 

1 ^ + 2. The probability for the random tape found in step 1 to be in f? 

conditioned by the knowledge that u { ) = u can be lower bounded: 

Pr { G f2\ u ( )} = 1— Pr { ^ f2\ u ( )} = 

cj,e cj,e 



1— Pr { u ( 

cj,e 



^ 17} X 



Pr { ^17} 

uj,e 

Pr { u ( )} 

o;,e 



> 



1 - 





/ 

“ 2 X ' 



With probability > (2 '), the random tape is in 17 and in this case, by 

definition of the set 17, the probability for a tuple of challenges ' yf to lead 
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to success is > 2. The probability to obtain such a tuple ' after less than 

probes is > 1 — (1 — 2)'^. 

Consequently, the probability to obtain a random tape in and to find ' 
is greater than 



i-sN—X / 



4 '( '+ 2- X ' 2) 6 



In conclusion, the algorithm finds {a r) with probability > ^ (6 and the 
total expected number of executions of the proof between and a verifier is 
smaller than 2 □ 

Finally, in the complexity theory setting, let us consider a security parame- 
ter k. All the parameters , , and ^ are viewed as functions of k. 



Theorem 5 (Zero-Knowledge). The protocol is statistically zero-knowledge 
if £ X is polynomial in k and if £ is negligible. 



Proof: We describe the polynomial time simulation of the communication be- 
tween a prover and a possibly dishonest verifier . We assume that, in order to 
try to obtain information about , does not randomly choose the challenges. 
If we focus on the z**' round, has already obtained data, noted i, from 
previous interactions with . Then the prover sends the commitment i and 
chooses, possibly using i and i, the challenge i( i i). 

Here is a simulation of the z**' round: choose random values / G [0 [ and 

i G [0 [, compute / = x T®* • If i( i /) yf / then try again with 

another pair ( / /), else return ( / / /). It can be formally proved that 

such a simulation is statistically indistinguishable from the transcript of a real 
proof as soon as £ is negligible: 



E 

(cxj ,e j ),i t 



Pr {(oi, di) = (b, Vi)} - Pr { (oi, dO = {U , ez , yi) } 




Furthermore, the time complexity of the simulation if {£x ) so the simulation 

runs in polynomial time in fc if ^ x is polynomial. □ 
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Abstract. We discuss the following problem: Given an integer cf) shared 
secretly among n players and a prime number e, how can the play- 
ers efficiently compute a sharing of mod cj). The most interesting 
case is when (j> is the Euler function of a known RSA modulus N, 
(j) = 4i{N). The problem has several applications, among which the con- 
struction of threshold variants for two recent signature schemes proposed 
by Gennaro-Halevi-Rabin and Cramer-Shoup. 

We present new and efficient protocols to solve this problem, improving 
over previous solutions by Boneh-Franklin and Frankel et al. Our basic 
protocol (secure against honest but curious players) requires only two 
rounds of communication and a single CCD computation. The robust 
protocol (secure against malicious players) adds only a couple of rounds 
and a few modular exponentiations to the computation. 



1 Introduction 

In this paper we consider the problem of computing a multiplicative inverse of a 
known prime number over a shared secret modulus. Specifically, given a known 
prime number , and an integer shared secretly among n players, how can 
the players compute a sharing of mod , without revealing anything about 
. The most interesting case is when is the Euler function of a known RSA 
modulus = ( ), since in this case the security of the RSA cryptosystem [22] 
is based on the assumption that ( ) remains secret. 

The most important applications of distributed modular inversion over a 
shared modulus are distributed RSA key generation, and distributing the new 
signature schemes of Gennaro-Halevi-Rabin [17] and Gramer-Shoup [9] . In par- 
ticular, in the latter applications it is very important to have an efficient inversion 

* Extended Abstract. A more complete version is available from 
http://www.research.ibm.com/security/dist-inv.ps. The first author’s re- 
search was carried out while visiting the Computer Science Department of 
Columbia University. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 190-206, 2000. 
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protocol, since in these signature schemes the inversion operation is performed 
with a different exponent for each message signed. 

We present new and efficient protocols to solve the problem of inversion with 
a shared modulus. We first present a basic protocol which is only secure against 
honest but curious players. This protocol is extremely efficient as it requires only 
two rounds of communication and a single GCD computation on the part of the 
players. The protocol is also unconditionally secure (given a network of private 
channels). We then add robustness to the protocol in order to make it secure 
against malicious players. These modifications add only a couple of rounds and 
a few modular exponentiations to the computation. To overcome the difficulty 
of working over an unknown modulus, the protocols use computations over the 
integers. Some of the techniques developed to prove the security of the protocols 
may be of independent interest. 

Previous Work. Although our problem can in principle be solved using generic 
multiparty computation protocols [19,3,8], the resulting solutions would hardly 
be practical. 

Boneh-Franklin. The first to address the issue of an efficient solution for 
this problem were Boneh and Franklin, who in a breakthrough result show how 
n > 3 parties can jointly generate an RSA key without a trusted dealer [5]. In 
particular, as part of their solution they show how the parties jointly compute 
= mod ( ), where are the RSA modulus and public exponent, 
respectively, and ( ) is shared among the parties. Our solution improves on 

some of the features of the Boneh-Franklin protocol. In particular: 

1. We only use a single invocation of the BGW [3] multiplication protocol, 
while their protocol needs two of them. Hence the round complexity of our 
protocol is half that of the protocol in [5] . 

2. The Boneh-Franklin protocol is based on an n-out-of-n solution where a 
single crash could prevent the protocol from completing.^ To obtain a t- 
out-of-n solution, they suggest using the “share-backup” approach of Rabin 
[21], but this approach has some known problems. For one thing, it incurs 
the overhead of multiple layers of (verifiable) secret-sharing. Moreover, it 
requires that the “good parties” recover the secret information of a party 
who may simply be temporarily disconnected. 

In contrast, our solution achieves directly a t-out-of-n threshold, using poly- 
nomial sharings and secret computations over the integers. Some of the most 
interesting technical contribution of our work are in the security proofs of 
these secret computations over the integers. 

3. The Boneh-Franklin results are presented only in the honest-but-curious 
model while we are also able to present robust solutions that tolerate mali- 
cious players. 

^ In their setting, this is the natural solution, since they also generate the modulus so 
that it is shared n-out-of-n. Indeed, to use our solution in their setting, one would 
have to implement also methods for generating and using the modulus in a t-out-of-n 
fashion. 
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4. In an updated version of [5], some other solutions are presented. One of 
them is particularly efficient since it avoids costly increases in the size of the 
shares. However, to achieve this efficiency, the proposed solution leaks a few 
bits of information about ( ). Although this is acceptable for a protocol 

that is invoked only once (since those few bits could be guessed anyway by 
an adversary), it is not clear what happens when the protocol is invoked 
several times with the same ( ) (as in our signature applications). Hence, 
we designed our protocols so that they do not leak any information about 
( ), in a strong, statistical, sense. (This requires some increase in the size 
of the shares, though.) 

Frankel-McKenzie-Yung. Building on the Boneh-Franklin solution, Frankel, 
Me Kenzie and Yung describe in [14] a way to add robustness to the protocols in 
[5], and in particular how to add robustness to the inversion protocol. The FMY 
protocol follows the structure of [5] , so it also needs two invocations of the BGW 
multiplication protocol. Moreover in order to achieve a t-out-of-n threshold, the 
FMY protocol uses representation changes for the sharing of the secret data. 
Namely, data which is shared in a t-out-of-n fashion is converted into a f-out-of-t 
fashion in order to perform computations, and then re-converted into a t-out-of- 
n sharing to preserve tolerance of crashing or malicious players. The complexity 
of the representation change is quite high, making the combined protocol much 
less efficient. Although the complexity of this protocol is acceptable for the task 
of distributed RSA key generation, where the protocol is only run once, it is too 
high for a protocol that must be efficiently run many times, as in the case of the 
signature applications. We avoid this efficiency cost, by keeping the data always 
in a t-out-of-n representation. 

Others. Some of the techniques that we use in this work originated in papers 
over robust and proactive RSA. In particular, working over the integers in order 
to overcome the difficulty of computing modulo an unknown integer was used in 
several previous papers [13,18,12,21]. Finally, the “dual” problem of computing 
mod where is known and is shared was discussed in [2]. 



2 Preliminaries 

The Network Model. We consider a network of n players, that are connected 
by point-to-point private channels and by a broadcast channel.^ We model fail- 
ures in the network by an adversary A, who can corrupt at most t of the players. 
We distinguish between the following types of “failures” : 

— honest but curious: the adversary can just read the memory of the corrupted 
players but not modify their behavior; 

^ The communication assumptions allow us to focus on a high-level description of 
the protocols, and they can be eliminated using standard techniques for privacy, 
authentication, commitment and agreement. 
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— halting: an “honest but curious” adversary who may also cause any of the 
corrupted players to crash and abort the protocol; 

— malicious: the adversary may cause players to deviate arbitrarily from the 
protocol. 

We assume for simplicity that the adversary is static, i.e. the set of corrupted 
players is decided at the beginning of the computation of a protocol.^ We assume 
communication is synchronous, except that we allow rushing adversaries (i.e. 
adversaries who decide the messages of the bad players at round after having 
seen the messages of the good players at the same round). 

2.1 Definitions 

Notations. In the following we denote the shared secret modulus by , and by 
we denote an approximate bound on , which must be known in the protocol 
(in the typical RSA application, we can use the public modulus as a bound 
on = ( )). We also denote by the factorial of n (the number of players), 

i.e. = n\ 

A Modular Inversion Protocol is an n-player protocol, where as an input to 
the protocol the players share a secret modulus (with player j having the 
share i), and all the players know public inputs (a prime number) and (an 
approximate bound on ) . At the end of the protocol, each player i has a secret 
output i, which would be its share of the modular inverse = mod . 

Correctness. We say that a Modular Inversion Protocol is correct if the 
output values i „ constitute a t-out-of-n secret sharing of = mod 

Privacy. We define privacy using the usual simulation approach. That is, we 
consider the view of the adversary A during a protocol to be the set of messages 
sent and received by the bad players during a run of the protocol. We say that 
a Modular Inversion Protocol is private if for any adversary A there exist a 
simulator S that runs an execution of the protocol together with A and produces 
for it a view that is indistinguishable from the real one. 

Security. We say that a Modular Inversion Protocol is secure if it is correct 
and private. 

Remark 1 (Trusted Dealer) In the above definition and in the presentation 
of the protocols, we implicitly assume that the modulus is already shared 
among the players using an appropriate f-out-of-n scheme. Specifically, for our 
protocols we always assume that this sharing is done over the integers, with 
shares from some appropriately large domain. In some cases we also assume that 
commitments to the shares of all the players are publicly known (see Section 5.2) . 
The exact sharing formats of that we need are stated explicitly in the descrip- 
tion of the protocols. 

® It is possible to use recent techniques by Canetti et al. [6] to make our protocols 
secure against adaptive adversaries who corrupt players at any stage during the 
protocol. 
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These assumptions can be made formal by including the initialization phase 
in the protocol definition, and analyzing the protocols under the assumption 
that this initialization is done by a trusted dealer. However, we feel that such a 
formulation will only distract attention from the focus of this paper, which is the 
inversion protocol. In Section 7 we briefly touch on the subject of eliminating 
the trusted dealer and instead having the n players jointly initialize the system. 



3 The Basic Idea 

We begin with a very simple protocol which, although doesn’t quite solve our 
problem, is nonetheless useful for illustrating the basic ideas and techniques 
behind our solution. In particular, this protocol only works for n-out-of-n sharing 
(i.e. although it tolerates coalitions of n — 1 honest but curious players, it does 
not tolerate even a single crashing player) . 

For this protocol, some multiple of the secret modulus is shared additively 
between the players. That is, each player j holds a value i such that ^ ■ i = 
, where is a random integer, much larger than (say, of order ( ^)). In the 

inversion protocol, each player i chooses a “randomizing integer” i Gfl [0 3 ], 

and broadcasts the value 7i = i + i , and all the players compute 7 = 7^. 

Clearly, we have 

7 = ^ 7 * = ^ ^ = + 

i i 

(where = i)- Assuming that (7 ) = 1 , there exist such that 

7 + =1 and thus = + = “^ mod . Additive shares of can be 

easily obtained by having player 1 sets 1 = 1 + , and the other players set 

i = i. Clearly = i- 

It is not hard to see that the only information leaked by the protocol is the 
value 7 = + . But it is possible to prove that the distribution of 7 is (almost) 

independent of . Specifically, it can be shown that when and follow the 
probability distribution described above, then the distributions {7 = + } 

and {7' = + } are statistically close (up to (1/ )). 

It should be noted that the above protocol is not secure when it is used more 
than once with the same and different ’s. Indeed, for each input the protocol 
leaks the value mod , and so after sufficiently many runs with different ’s 
we can then recover the integer via the Chinese Remainder Theorem. To 
overcome this, it is necessary to use a ’’fresh” for each input . In the next 
section we show how to do this, and at the same time get a t-out-of-n threshold 
solution (but still in the “honest but curious” model). 

4 The Honest-but-Curious Case 

The protocol in this section achieves t-out-of-n sharing. It assumes the “honest 
but curious” model, in which players do not deviate from the protocol but simply 
pool together their data to try to gain information (in this model we need n > 2 t) . 
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It also tolerates crashing faults, i.e. players who suspend their participation in 
the protocol (in this case we need n > 3t). In the next section we show how to 
add robustness to this protocol (i.e. tolerance of maliciously faulty players). 

The difference between this protocol and the one in the previous section 
is that all the secrets are shared via polynomials (rather than sums), and the 
multiple is chosen afresh with each execution. The rest of the protocol is similar 
to the basic case. The protocol is described in detail in Figure 1. On a high-level 
the protocol goes as follows: 

— Each player starts with input a share of the secret modulus (multiplied 
by a factor of = n\ for technical reasons), via a t-degree polynomial /( ) 
with free term 

— In the first round of the protocol, the players jointly generate two random 
t-degree polynomials ( ) and h{ ) with free terms and , respectively, 
and a random 2t-degree polynomial ( ) with free term 0. 

— In the second round they reconstruct the 2t-degree polynomial ( ) = 

/()()-!- ■ h{ ) + ( ) and recover its free term 7 = (0) = ^ -I- 

— Finally, they use the GCD algorithm to compute such that 7 -I- =1 

and set = -I- = mod . Each player j computes its share of 

by setting j = h{i) + . 



Theorem 1. If all the players carry out the prescribed protocol and n > 2t 
(n > 3t for the case of crashing faults) then the protocol in Figure 1 is a secure 
Modular Inversion Protocol according to the Definition in Section 2.1. 

The proof follows a standard simulation argument, and is described in the full 
version of this paper. The crucial part of the proof is to prove that -I- can 
be statistically approximated by the simulator without knowing . 

Remark 2 (Size of Shares) Note that the shares i of = mod have 
order ( ®). If the fs are used as exponents (as in the threshold signature 
applications we discuss in Section 6), this results in a factor of five slowdown 
during the generation of the signature. However, the shares do not have to be this 
large. We chose these bounds to make the presentation and the proof simpler. 
It is possible to improve (a lot) on those bounds as we discuss in Section 7. 

5 A Robust Solution 

We show how to deal with a malicious adversary who may corrupt up to t 
players and make them behave in any arbitrary manner. We use some standard 
techniques like: 

— Replace the simple secret-sharing of the first round with Verifiable Secret 
Sharing (VSS) a-la-Pedersen [20], to make sure that the players perform 
correct sharings; 
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Inversion Protocol for Honest-but-Curious Players 

Private inputs: Sharing of L(j> using a t-degree polynomial over the integers. 
Player Pi has private input fi = f{i), where f{z) = L<f> + aiz + . . . + atz^, 
and e [-L‘^N,L‘^N]. 

Public input: prime number e > n, an approximate bound N on tj>- 
[Round 1] Each player Pi does the following: 

1. Choose Ai &R [O...Ar2], [-L'^N^ . . . L'^N^], 

Choose Vi [0 . . . N^], and Ci,i, . . . , a,t &r [—L'^N^ . . . L'^N'^] 

Choose ,pi, 2 t €r [-L^N^ ...L^N^] 

2. Set Qi{z) = L\i Pbi^iz + . . . + bi,tz^, hi{z) = Ln +Ci,i 2 ; + . . . + a,tz*, and 
pi{z) = 0 + pi,lZ + . . . + piptz'^*' . 

3. Send to each player Pj the values gi{j),hi{j), pi{j), computed over the 
integers. 

[Round 2] Each player Pj does the following: 

1. Set Qj = Er=i 9iU), hj = x;r=i ^nd Pj = pi{j)- 

(These are its shares of the polynomials g{z) = gi{z), h{z) = hi{z), 
and p{z) = EiPi(2)-) 

2. Broadcast the value Fi = figi + ehi + pi 
[Output] Each player Pi does the following: 

1. From the broadcast values interpolate the 2t-degree polynomial F{z) = 

f{z)g{z) + e- H^) + P{z)- 

2. Using the CCD algorithm, find a, b such that aP(0) + be = 1. If no such 
a, b exist, go to Round 1. 

3. The inverse of e is d = ah(0) + 6. Privately output the share of the inverse, 
di = ah{i) + b. 



Fig. 1. Computing inverses in the all-honest case 



— Use error-correcting codes or zero-knowledge proofs to combat malicious 
players who may contribute incorrect shares for the reconstruction of the 
polynomial ( ) in Round 2. 

A few technical complications arise from the fact that we use secret sharing over 
the integers. Some are solved using known techniques that were developed for 
robust and proactive RSA [15,12,21,7], others require some new machinery. 

5.1 Pedersen’s VSS Revisited 

The problems that we need to tackle is how to ensure that the secrets are shared 
correctly in Round 1 and recovered correctly in Round 2. For the first problem, 
we use a variant of Pedersen’s Verifiable-Secret-Sharing protocol [20], adjusted 
to account for the fact that we share these secrets over the integers. 
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In Pedersen’s scheme the secret and the shares are viewed as “indices” for 
some cyclic group ( ). Hence, there is an efficient mapping between shares and 
group elements and the players use the group operation to verify vari- 

ous properties of the shares. There are, however, two problems with using this 
approach in our setting: 

— In our setting, it is imperative that the secrets satisfy some equations over 
the integers, and not just modulo the order of . (For example, it would be 
useless if the shares of = mod would interpolate to + o ( ) over 
the integers.) 

— Pedersen’s protocol does not provide tools to prove that the shared secret is 
“small enough”, whereas the secrecy of our protocol relies on the fact that 
we know some bound on the size of the secrets. (For example, if the size of 

in 7 = -|- is much larger than other terms, then clearly 7 reveals 

information about .) 

Overcoming the second problem is easy. Each player simply checks that its shares 
are bounded in some interval, and then we show that the secret must also be 
bounded in some (slightly larger) interval. Solving the first problem is a little 
harder. We propose two solutions to this problem, each with its own advantages 
and drawbacks: 

— Work with a group of unknown order. If the order of is not known, then it 

would be potentially hard for the dealer to arrange that some relations hold 
modulo o ( ) but not over the integers. More specifically, we show that 
when Pedersen’s protocol is executed over an RSA modulus = , which 

is a product of two safe primes ( = 2 ' + 1 = 2 ' + 1 with ' ' all 

primes), then it is indeed a secure VSS under the strong-RSA assumption 
(see below). 

An advantage of this solution is that the modulus is independent of the 
bound on the size of the secrets and shares, and so a smaller can be 
used. The drawback is that we must work in a system where such an RSA 
modulus of unknown factorization is available, and that we use the strong- 
RSA assumption, which is stronger than, say, plain RSA or discrete-log. Still, 
for the main applications of our result (constructing threshold versions of the 
signature schemes described in [17,9]), these drawbacks do not matter, since 
those signature schemes already use these special-form RSA moduli and are 
based on the strong-RSA assumption. 

— Work with a very large group. Another option would be to make the order 
of much larger than all the other parameters of the system. This way, if 
the players verify that the size of their shares is “small enough” then any 
relation that holds modulo o ( ) must also hold over the integers, simply 
because the numbers involved can never be large enough to “wrap around” 
o ( ). 

It is therefore possible to use Pedersen’s original protocol modulo a large 
prime, provided that all the players check the size of their shares^ and the 
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prime is large enough. Specifically, if there are n players, and each player ver- 
ifies that its share is smaller than some known bound B, then it is sufficient 
to work over a prime > tn^rilB. 

The second solution above is pretty straightforward, and will be described in the 
full version of the paper. Below we only describe the details of the first solution. 
For this solution, we have a public modulus of unknown factorization, which 
is a product of two safe primes ( = , =2'-|-l, =2'-|-l). For such 

a modulus, the squares form a cyclic subgroup of ^ of order ' '. We let 
G ^ to be two random squares which generate the squares subgroup and 
we assume that nobody knows the discrete log of with respect to . The 
protocol is spelled out in Figure 2. 

The Strong-RSA Assumption. This assumption was introduced in [1] and 
subsequently used in several other works [15,17,9]. It conjectures that given a 
random square G ^ there exists no polynomial time algorithm that can 
compute G If and an integer yf 1 such that ^ = mod 

Lemma 1. Under the Strong-RSA assumption, the protocol PedVSS is a VSS 
against an adversary who corrupts at most t players when n > 2t. 

The reduction from the security of PedVSS (over the integers) to Strong-RSA 
follows an approach presented first in [15]. 

Remark 3 (Share Size Check) The security proof of PedVSS does not re- 
quire that players check the size of their shares in Step 4. This check however 
guarantees the good players that the shared secret is bounded by ^ 
(since the Lagrange interpolation formula tells us that the secret can be written 
as the linear combination of t -I- 1 shares with coefficients all smaller than ) . 



Remark 4 (Sharing a Known Value) In the robust protocol we use the pro- 
tocol PedVSS to share either a secret unknown value, or the value 0. The latter 
is used to randomize the product polynomial in the multiplication step. 

5.2 The Robust Solution 

The main change from the honest-but-curious to the robust solution is that all 
the secrets are now shared using our variant of Pedersen’s VSS. The full protocol 
is described in Figure 3. In this description we distinguish between two cases: 
n> At or it <n < At. 

When n > 4t we can use error-correcting codes to interpolate the polyno- 
mial ( ) (e.g., using the Berlekamp- Welch algorithm [4] or see for example the 
appendix in [24] ) . 

^ Note that in Pedersen’s protocol, the shares and secrets are committed to by setting 
C{x) = mod P for a random r. In our setting, the players would have to check 
that the “real share” x is in the allowed interval, but the randomizing element r can 
be any element in Zp-i. 
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PedVSS 

Dealing Phase 

Public Input: RSA modulus M (product of two safe primes), two random 
squares G,H £ Zj^j, and a bound f3. 

Input for the dealer: A secret A £ [0../3]. 

1. The dealer chooses A £r [0../1] and bi, . . . . . . ,bt £r 

Sets h{z) = L\ + biz + . . . + btz* and h(z) = LA + biz + . . . + btz*. 

Sends privately to player Pi the values h{i) and h{i) computed over the 
integers. 

Broadcasts publicly the values Co = mod M and Gj = 

mod M for i = 1, . . . ,t. 

2. Player Pi checks that 

£ 

Qh(i)jjh(i) ^ Y\{GjY' mod N (1) 

3=0 

If the check fails, Pi complains publicly. If more than t players complain 
the dealer is disqualihed. 

3. If the dealer is not disqualified, it reveals the values h{i),h{i) satisfying 
Equation (1) for the players Pi who complained at the previous step. If 
the dealer does not perform this step correctly it is disqualified. 

4. Player Pi checks that the values it received and the values broadcasted 
by the dealer in the previous steps are integers bounded in absolute value 
by tn^L^Mfi. If the check fails. Pi exposes its share. If an exposed share 
is larger than tn^L^MP and matches Equation (1) then the dealer is dis- 
qualified." 

Reconstruction Phase 

1. Each player Pi reveals h{i),h{i). Only the values satisfying Equation 1 
will be accepted. 

Interpolate t + 1 of those values to reconstruct h(z) over the rationals and 
output the secret A = h(0). 

“ This step is not needed for this protocol to be a “secure VSS protocol”, see 
Remark 3. 



Fig. 2. Pedersen’s VSS 
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For the case of 3t < n < 4t we do not have enough points to do error- 
correction, so we identify and sieve out the bad shares by having each player i 
proves in zero knowledge that its value (i) is the correct one. In the latter case, 
we need the players to have as public input commitments to the coefficients of 
the polynomial /( ) (that is used to share ), and we use these commitments 
in the zero-knowledge proofs. The ZK proof (described in detail in Appendix 
A) is a 3-round, public-coin, honest-verifier statistical ZK proof. When this ZK 
proof is executed in the distributed protocol above, each player will run it once 
as the prover. The verifier’s challenge will be jointly generated by the other n—1 
servers. It is shown by Canetti et.al. [6] that it is sufficient that the protocol is 
only honest-verifier ZK since each prover runs the protocol against a “virtual” 
verifier which is implemented by the other n—1 players. This virtual verifier will 
be forced to act honestly because a majority of the other players is honest. 

Remark 5 ( versus ) If the value is already an RSA modulus, product 
of two strong primes, then in Robust Protocol it is possible to set = . This 

is indeed the case in most of our applications. 



Theorem 2. Under the Strong-RSA assumption, if the dealer is honest and n > 
3t, then Robust Protocol is a secure Modular Inversion Protocol (according 
to the Definition in Section 2.1) in the presence of a malicious adversary who 
corrupts at most t players. 



6 Applications 

The main application of our result is the construction of threshold variants for 
two recently proposed signature schemes [17,9]. Let us briefly recall the concept 
of threshold cryptography (which originates in a paper by Desmedt [10]). In a 
threshold signature scheme n parties hold a t-out-of-n sharing of the secret key 
S for a signature scheme. Only when at least t -I- 1 of them cooperate they 
can sign a given message. It is very important however that the computation of 
such signature is performed without exposing any other information about the 
secret key; in particular the players cannot reconstruct S and use the signing 
algorithm, but must use their shares implicitly in a communication protocol 
which outputs the signature. A large body of research has been done on threshold 
signature schemes: for lack of space we refer the reader only to two literature 
surveys [11,16]. 

Threshold GHR Signatures. In [17] Gennaro, Halevi and Rabin present a 
new signature scheme which is secure under the Strong-RSA assumption. The 
scheme works as follows. The public key of the signer is an RSA modulus , 
product of two safe primes , and a random element se %. To sign a message 
m, the signer first hashes it using a suitable hash function to obtain = (m) 

and then computes a{m) such that = s mod . We refer the reader to 

[17]. 
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Robust Protocol 

Private inputs: Sharing of the number L<j> using a t-degree polynomial over 
the integers. Player Pi has private input fi = f{i), where f{z) = L<j> + a\z + 
. . .-\-atZ^ , and 'ij, aj € [—L'^N, L'^N], If 3t < n < 4t then Pi also has fi = f{i), 
where f{z) = So + a-^z + . . . + &tz^, and Vj, &j Zm- 

Public input: prime number e > n, and an approximate bound N on (p. 
An RSA modulus M (product of two safe primes), and two random squares 
G,H G Zf^. If 3t < n < 4t then also commitments . 

[Part 1] Each player Pi chooses Ai €r [0 . . . A^^], and ri G [O..A^^], and does 
the following: 

1. Use PedVSS to share Ai with bound N'^ and t-degree polys gi{z) and gi{z). 

2. Use PedVSS to share Vi with bound and t-degree polys hi{z) and hi{z). 

3. Use PedVSS to share 0 with bound and 2t-degree polys pi{z) and pi{z). 

Let A be the set of players who were not disqualified in Round 1, denote 
^ = J2i ^ = Y,i A denote 

g{z) = ^ gi{z), h{z) = 

i A i A i A 

5(«) = 9i{z), h{z) = p(«) = 

i A i A i A 

[Part 2] Each player Pj does the following 

1. Generates its shares of the polynomials h(z), g(z), p(z) by summing the 
shares that were received in Part 1 from players in A. If 3t < n < 4t, also 
generates its shares of the polynomials h, g, p similarly. 

2. Calculates Fj = f{j)h{j) +eg(j) +p{j), and broadcasts Fj as its share of 
the 2t-degree polynomial F{z) = f{z)h{z) + eg{z) + p{z). 

Notice that the free term of F{z) is the integer E(0) = L^Xtp + LRe. 

[Part 3] We distinguish two cases: 

1. If n > 4t then the players interpolate over the rationals, using error- 
correction, the unique polynomial F{z) of degree 2t passing through n — t 
of the broadcasted points, and set 7 = E(0). 

2. If 3t < n < 4t, each player Pi proves that the value Fi is correct using 
the subprotocol Prove-Correct described in Appendix A). The players 
interpolate the unique polynomial F{z) of degree 2t passing through the 
broadcasted points which are proven correct, and set 7 = E’(O). 

[Output] 

1. Using the CCD algorithm, each player computes two values a, b such that 
aF{0) -f 6e = 1. If no such a, b exist, return to Part 1. 

2. Each player Pi privately compute its share of the inverse, di — ah(i) -|- b. 



Fig. 3. Computing inverses in the malicious case 
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Using our Modular Inversion Protocol, we can create a threshold version 
for the GHR scheme as follows. A trusted dealer can initialize the system by 
choosing and sharing ( ) as needed in our solution(s) (either the honest- 

but-curious or the robust one depending on the model). For a reason that will 
be soon apparent, the dealer also chooses s as follows: pick a random square 
So € ^ and compute s = Sq mod and make sq s public. 

Then for each message m to be signed, the players publicly compute = 
(m) and perform an execution of the inversion protocol, to obtain shares i 
of = mod ( ). Recall that each j is the point h{i) + on a f-degree 
polynomial h{ ) + whose free term is . It follows then that for any subset 
of t + 1 shares we can write 



= • 

ieT 



i 



where /ii,T are the appropriate Lagrange interpolation coefficients. Notice that 
the above equation is taken over the rationals, so may be fractions. However 
because we are always interpolating integer points in the set {1 n} we have 
that ^ is always an integer. The protocol is concluded by having each 

player reveal Si = Sq’ . Then 



a{m) 



S = So 




ieT 



and the exponents are all integers. 

In the case of malicious players, a zero-knowledge proof must be added that 
Si is the correct value. Notice that if n > 4t we can still use error-correcting codes 
inside the inversion protocol, but we do not know how to do error-correction “in 
the exponent” for the Si’s and thus the ZK proof for this step is required also 
when n > 4t. An efficient ZK proof similar to Prove-Correct (see Appendix A) 
can be implemented using the public information generated by the inversion 
protocol. More specifically, the inversion protocol generates public commitments 
. _ di di When i reveals Si = Sq* it proves that the discrete log 

of Si in base sq is the same as the opening he knows of the commitment j. 

A couple of remarks are in order. Because of the way we generate s it is 
obvious that any message m whose hash value is in the set {1 n} can be 
forged, so we need to require that (m) > n for all messages. This is not a 
problem as [17] already assumes that = ( ). Also in one of the variations 

presented in [17] the hash function is randomized, i.e. = (m ) where is a 
random string which is then attached to the signature for verification purpose. 
In this case the inversion protocol must be preceded by a coin flipping protocol 
by the n players to generate . 

Threshold Cramer-Shoup Signatures. In [9] Cramer and Shoup presented 
the following signature scheme. The signer public key is (the product of two 
safe primes ), two random squares h € ^ and a random prime ' suf- 

ficiently long (say 160 bits). To sign a message m, the signer generates a new 
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prime ^ ' (also of length 160 bits) and a random square ' G Two values 
' are then computed as 

' = , , mod and = ( mod 

hH{m) \ J 

where is a collision-resistant hash function. The signature is ( ') 

A threshold version of the Cramer-Shoup signature scheme is obtained in the 
same way as the threshold GHR scheme, since the only part that involves the 
secret key is the computation of (here also, for the same reason as above, the 
dealer must choose h as h = Hq mod = q mod , and make public 
the values ho o). The only difference is that here the prime must be gener- 
ated by the players instead of being publicly computed via a hash function, and 
the requirement is that the signers never use the same prime for two different 
messages. This can be done either by having the players together generate ran- 
domness and use it for prime generation, or by having one player choose , and 
the others just check that it was never used before. (For the latter solution the 
players need to keep state, and there must be some protocol to keep this state 
“synchronized” between different players). 

7 Conclusions 

We presented new protocols to compute a sharing of the inverse of a public inte- 
ger modulo a shared secret . We also presented applications to construction 
of threshold variants for two newly proposed signature schemes. Our result was 
constructed with these specific applications in mind, and we focused on proto- 
cols which would minimize the round complexity (i.e. the interaction between 
servers). This is the main improvement with respect to previous solutions from 
[5,14]. 

We conclude with some remarks. 

A Note on the Assumptions Used. In this extended abstract we focused on 
a robust solution to the modular inversion problem which requires the Strong- 
RSA assumption and the generation of “safe” primes. This solution is the more 
natural one to use for the applications presented in Section 6 which already 
have such requirement. We would like to stress however that the Strong RSA 
assumption and the generation of safe primes is needed only for this variant 
of the protocol. As we mentioned before, by using Pedersen’s VSS over a large 
prime field it is possible to construct a robust Modular Inversion Protocol based 
only on the Discrete Log assumption. That is, it is possible to state and prove 
an analogous to Theorem 2 assuming only that computing discrete logs is hard. 
Details will appear in the final paper. 

A Note on Efficiency. To simplify the presentation, we did not focus on 
keeping the size of the integers used in our computations as small as possible. It 
is however possible to reduce the size of the integers: this is particularly impor- 
tant for the share i’s which are used as exponents in our threshold signature 
applications. 
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The main reason for the increase in size of the integers is that our proofs use 
log as our security parameter (i.e. we define a quantity to be negligible if it is 
smaller than 1/ ). If instead we were to choose a different security parameter 
k (and define negligible anything smaller than 2“^), then part of the growth in 
the size of the shares would be in multiplicative factors of 2^ rather than . In 
particular the real bound on the size of the shares i is ( for the honest- 

but-curious case, and ( ^2^^) for the malicious adversary case. For reasonable 

choices of the parameters (say k = 100 and log = 1000) this is even less that 
( ^), so the threshold signature protocols proposed in Section 6 are slower by 

less than a factor of 3 than the centralized one. 

It would be interesting to come up with different protocols (or proof tech- 
niques for our protocol) that further reduce this size. 

On the Trusted Dealer. Throughout the paper we implicitly assumed that 
the input for our protocols (i.e., the sharing of ) was generated by a trusted 
dealer. In some cases this assumption can be eliminated by having the players 
generate cooperatively. For example, for the applications in which = ( ) 

for an RSA modulus we can use the first part of the Boneh-Franklin result 
[5] to have the players jointly generate and share ( ) among them. Notice 
that [5] cannot be used to generate a product of two safe primes, so in this case 
we must use the discrete-log based robust solution. 
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A The Proof of Share Correctness 

The problem facing the players in Part 3, Step 2 of Robust Protocol can be 
abstracted as follows. We have public values = “ “,i?= ^ ° 
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and . A player knows ' ", it publishes a value , and needs to prove 

that = + (in Robust Protocol each player i has to perform this task with 

= /(*) " = /(*)? = (*) = "(*)) = (*) " = "(*); we are not considering 

the randomizers (z) "(i) for simplicity.) 

Notice that the problem arises because has to open a value that contains 
the product of two committed values. We solve the problem by having 
publish a new commitment = to and prove in zero-knowledge that 

it is correct, and then open the commitment ® r+ec^ 

The protocol described in Figure 4 works for the case in which we use the 
robust solution based on the Strong-RSA assumption and assumes that is 
the product of two safe primes. For the other version of the robust protocol (the 
one based on discrete- log), a similar, simpler, protocol can be used as described 
in the final version. 



Prove-Correct 

Private input for P: a, a, b, b, c, c. 

Public Input: RSA modulus M, G,H G as above. A = B — 

G^H*", G = G’^H^, and F. 

Goal: Prove that F — ab + ec. 

1. P chooses a random r £ [— and publishes D — G°'^ P[^ . 

2. P proves in zero-knowledge (to a verifier V) that D is correct w.r.t. A, B 
as follows 

(a) P chooses a,a, f3, at random in [— and send to V the 
values Ml = G“M*, M2 = G>^H^, M3 = 

(b) V chooses a random d in [0, M] and sends it to P. 

(c) P answers with the following values x = a P da, x = a P dd, z = 
7 P d{r — ba), y = (5 P db, y = jd P db. 

(d) V accepts if G^H^ = AhA’^, B^H^ = G^ = M 2 B'^ 

3. P reveals f = ab P ec and f = r P ec. The value is accepted if and only if 
Gf Rf = DG‘^ mod M 



Fig. 4. How to prove that = P 



The protocol in step 2 of Prove-Correct is a honest- verifier, statistical ZK proof 
of knowledge of the openings of the commitments B and simultaneously 
proves that the opening of is the product of the opening of and B. 

The extraction works using a technique due to Fujisaki and Okamoto [15] 
and it assumes that the prover is not able to solve the Strong-RSA assumption. 

The proof is statistical ZK for the following reason. Notice that in our appli- 
cation the product is ( ^) . By choosing the original randomizers in the set 
[— ® ®] we make sure that the Prover’s answers in step 2c are statistically 

indistinguishable from random numbers in that interval. Details will appear in 
the final paper. 
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Abstract. We present an RSA threshold signature scheme. The scheme 
enjoys the following properties: 

1. it is unforgeable and robust in the random oracle model, assuming 
the RSA problem is hard; 

2. signature share generation and verification is completely non-inter- 
active; 

3. the size of an individual signature share is bounded by a constant 
times the size of the RSA modulus. 



1 Introduction 

A out of threshold signature scheme is a protocol that allows any subset of 
players out of to generate a signature, but that disallows the creation of a valid 
signature if fewer than players participate in the protocol. This non- forgeability 
property should hold even if some subset of less than players are corrupted 
and work together. For a threshold scheme to be useful when some players are 
corrupted, it should should also be robust, meaning that corrupted players should 
not be able to prevent uncorrupted players from generating signatures. 

The notion of a threshold signature scheme has been extensively studied. 
However, all previously proposed schemes suffer from at least one of the following 
problems: 

1 . the scheme has no rigorous security proof, even in the random oracle model; 

2. signature share generation and/or verification is interactive, moreover re- 
quiring a synchronous communications network; 

3. the size of an individual signature share blows up linearly in the number of 
players. 

To correct this situation, we present a new threshold RSA signature scheme 
that enjoys the following properties: 

1 . it is unforgeable and robust in the random oracle model, assuming the RSA 
problem is hard; 

2. signature share generation and verification is completely non-interactive; 

3. the size of an individual signature share is bounded by a small constant times 
the size of the RSA modulus. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 207-220, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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We stress that the resulting signature is a completely standard “hash and 
invert” RSA signature, in the sense that the format of the public key and verifi- 
cation algorithm are the same as for ordinary RSA signatures. We do, however, 
place some restrictions on the key; namely, the public exponent must be a prime 
exceeding , and the modulus must be the product of two “strong” primes. 

Our scheme is exceedingly simple, and it is truly amazing that such a scheme 
has apparently not been previously proposed and analyzed. 

We also consider a more refined notion of a threshold signature scheme, where 
there is one threshold t for the maximum number of corrupt players, and another 
threshold for the minimum quarum size. The fact that a particular message 
has been signed means that at least — t uncorrupted players have authorized 
the signature. 

Previous investigations into threshold signature schemes have always as- 
sumed (explicitly or implicitly) that = t -|- 1. We also investigate the more 
general setting where > t -|- 1 . This generalization is useful in situations where 
the uncorrupted parties do not necessarily agree on what they are signing, but 
one wants to be able to prove that a large number of them have authorized 
a particular signature. In particular, threshold signatures with = — t and 

t /3 can be exploited to reduce the sizes of the messages sent in Byzantine 
agreement protocols in an asynchronous network. This is explored in detail in 
[CKSOO]. 

The application to asynchronous Byzantine agreement was actually our orig- 
inal motivation for studying this problem, and is the main reason for our require- 
ment that the signing protocol is non-interactive. Almost all previous work on 
threshold signatures assumes a model with a synchronous network, and where all 
players somehow simultaneously agree to start the signing protocol on a given 
message. Clearly, we can not work in such a model if we want to implement 
asynchronous Byzantine agreement. 

We stress that our notion of a “dual-parameter” threshold scheme provides 
stronger security guarantees than single parameter threshold schemes, and such 
schemes are in fact more challenging to construct and to analyze. Our notion of 
a dual-parameter threshold scheme should not be confused with a weaker notion 
that sometimes appears in the threshold cryptography literature (e.g., [MS95]). 
For this weaker notion, there is a parameter ' t such that the reconstruction 
algorithm requires ' shares, but the security guarantee is lost if just a single 
honest party reveals a share. In our notion, no security is lost unless —t honest 
parties reveal their shares. 

We work with a “static corruption model” : the adversary must choose which 
players to corrupt at the very beginning the attack. This is in line with previ- 
ous investigations into threshold signatures, which also (explicitly or implicitly) 
assume static corruptions. 

Our basic scheme. Protocol 1, can be proven secure when = t -|- 1 in the 
random oracle model under the RSA assumption. 
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We present another scheme, Protocol 2, for use in the more general setting 
> t + 1. Protocol 2 can be be proven secure — again, in the random oracle 
model — when = f + 1 under the RSA assumption, and when t + 1 under 
an additional assumption, namely, an appropriate variant of the Decision Diffie- 
Hellman assumption. 

As already mentioned, our proofs of security are valid in the so-called “ran- 
dom oracle model,” where cryptographic hash functions are replaced by a ran- 
dom oracle. This model was used informally by Fiat and Shamir [FS87], and 
later was rigorously formalized and more fully exploited in Bellare and Rogaway 
[BR93], and thereafter used in numerous papers. 

For Protocol 1, we only need random oracles for robustness, if we assume that 
ordinary RSA signatures are secure. In fact, Gennaro et al. [GJKR96a] present a 
non-interactive share verification scheme that can be analyzed without resorting 
to random oracles. One could use their verification scheme in place of the one 
we suggest, thus avoiding random oracles in the analysis, but this would have 
certain practical drawbacks, requiring a special relationship between the sender 
and recipient of a share of a signature. Alternatively, one could use a simple 
interactive share verification scheme. The resulting signature scheme would no 
longer be truly non-interactive, but it would still not require any coordination 
or synchronization among the players. We do not explore these alternatives in 
any detail here, as they are quite straightforward. 

The analysis of Protocol 2 makes use of the random oracle model in a more 
fundamental way. Since this seemed inevitable, we took several liberties in the 
design of Protocol 2, so that it is actually a bit simpler and more efficient than 
Protocol 1. Thus, even if = t -|- 1, Protocol 2 may be an attractive practical 
alternative to Protocol 1. 

We view a proof of security in the random oracle model as a heuristic argu- 
ment that provides strong evidence that a system cannot be broken. All things 
being equal, a proof of security in the random oracle model is not as good as 
a proof of security in the “real world,” but is much better than no proof at 
all. Anyway, it does not seem unreasonable to use the random oracle model, 
since that is the only way we know of to justify the security of ordinary RSA 
signatures. 

Previous Work 

Desmedt [Des87] introduces the more general notion of threshold signatures. 
Desmedt and Frankel [DF89] present a non-robust threshold ElGamal scheme 
[E1G85] based on “secret sharing,” [Sha79] i.e., polynomial interpolation over 
a finite field. Their scheme has small share size, but requires synchronized in- 
teraction. Harn [Har94] presents a robust threshold ElGamal scheme with small 
share size, but again requires synchronized interaction. It seems that the security 
of both of the above schemes can be rigorously analyzed in a satisfactory way, 
although neither paper does this. Gennaro et al. [GJKR96b] present a robust 
threshold DSS scheme with small share size that again requires synchronized 
interaction; they also give a rigorous security analysis. 
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All of the above-mentioned schemes are interactive. Indeed, any threshold 
signature scheme based on discrete logarithms appears doomed to be interactive, 
since all such signature schemes are randomized, and so the signers have to 
generate random values jointly, which apparently requires interaction. 

In [DF89], Desmedt and Frankel also briefly address the problem of designing 
a threshold RSA [RSA78] signature scheme, noting that there are some technical 
obstructions to doing this arising from the fact that polynomial interpolation 
over the coefficient ring Z 0 („), where n is the RSA modulus and the Euler 
totient function, is somewhat awkward. Later, Desmedt and Frankel [DF9I] re- 
turn again to the problem of threshold RSA, and present a non-robust threshold 
RSA scheme that is non-interactive and with small share size, but with no se- 
curity analysis. Frankel and Desmedt [FD92] present results extending those in 
[DF9I], giving a proof of security for a non-robust threshold RSA scheme with 
small share size, but which requires synchronized interaction. Later, De Santis et 
al. [DDFY94] present a variation (also non-robust) on the scheme in [FD92] that 
trades interaction for large share size (growing linearly in the number of players). 
Both [FD92] and [DDFY94] avoid the problems of polynomial interpolation over 
Z 0 (n) by working instead with over ]/(<?q( )), where where <I>q{ ) is 

the th cyclotomic polynomial (taken mod (u)), and is a prime greater than 
. This is convenient, as standard secret sharing techniques can then be directly 
applied, but it leads to a much more complicated schemes that also require either 
interaction or large share sizes. 

Gennaro et al. [GJKR96a] give a few general techniques that allow one to 
make RSA threshold systems robust. 

Later, Frankel et al. [FGMY97b,FGMY97a] and Rabin [Rab98] propose and 
rigorously analyze robust threshold RSA schemes that have small share size, but 
require synchronized interaction. These papers take a different approach to the 
“interpolation over Z^(„) problem,” sidestepping it by introducing an extra layer 
of “secret sharing” and much more interaction and complexity. These schemes 
have other features as well, namely they provide a type of security known as 
“pro-active security,” a topic we do not address here at all. 

As we shall see, the “interpolation over Z,^(„) problem” is not really a problem 
at all — it is entirely trivial to work around the minor technical difficulties to 
obtain an extremely simple and provably secure threshold RSA scheme. We do 
not even need a random oracle if we do not require robustness and we are willing 
to assume that the RSA signature scheme is itself secure. 



Organization 

In §2 we describe our system model and security requirements for threshold 
signatures. In §3 we describe Protocol 1 . In §4 we analyze Protocol 1 in the case 
= t -|- 1. In §5 we present Protocol 2, and analyze it in the more general case 
>t+l. 
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2 System Model and Security Requirements 

The Participants. We have a set of players, indexed 1 . . . , a trusted dealer, 

and an adversary. There is also a signature verification algorithm, a share veri- 
fication algorithm, and a share combining algorithm. 

There are two parameters: 

t — the number of corrupted players; 

— the number of signature shares needed to obtain a signature. 

The only requirements are that > t + 1 and — t > . 

The Action. At the beginning of the game, the adversary selects a subset of t 
players to corrupt. 

In the dealing phase, the dealer generates a public key PK along with secret 
key shares SKi . . . SKi , and verification keys VK VKi . . . VKi . The adversary 
obtains the secret key shares of the corrupted players, along with the public key 
and verification keys. 

After the dealing phase, the adversary submits signing requests to the uncor- 
rupted players for messages of his choice. Upon such a request, a player outputs 
a signature share for the given message. 

Robustness and Combining Shares. The signature verification algorithm 
takes a input a message and a signature, along with the public key, and deter- 
mines if the signature is valid. The signature share verification algorithm takes as 
input a message, a signature share on that message from a player , along with 
PK, VK, and VKi, and determines if the signature share is valid. The share 
combining algorithm takes as input a message and valid signature shares on 
the message, along with the public key and (perhaps) the verification keys, and 
outputs a valid signature on the message. 

Non-forgeability. We say that the adversary forges a signature if at the end 
of the game he outputs a valid signature on a message that was not submitted 
as a signing request to at least — t uncorrupted players. We say that the 
threshold signature scheme is non-forgeable if it is computationally infeasible for 
the adversary to forge a signature. 

Discussion. Notice that our model explicitly requires that the generation and 
verification of signature shares is completely non-interactive. 

Also notice that we have two independent parameters t and . As mentioned 
in the introduction, previous investigations into threshold signatures have only 
dealt with the case = t -I- 1. In this case, the non-forgeability requirement 
simply says that a signature is forged if no uncorrupted player was asked to sign 
it. As we shall see, achieving non-forgeability when t -I- 1 is harder to do 
than when = t 1. For simplicity, we shall start with the case = t 1. 
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3 Protocol 1: A Very Simple RSA Threshold Scheme 



We now describe Protocol 1, which will be analyzed in the next section when 
= t + 1 . 



The Dealer. The dealer chooses at random two large primes of equal length 
(512 bit, say) and , where = 2 ' + 1, = 2 ' + 1, with ' themselves 

prime. The RSA modulus is n = . Let m = ' ' . The dealer also chooses the 

RSA public exponent as a prime 

The public key is PK = {n ). 

Next, the dealer computes € Z such that = 1 mod m. The dealer sets 
0 = and chooses i at random from {0 . . . m — 1} for 1 < < — 1. The 

numbers o ■ ■ ■ fc-i define the polynomial /( ) = * * G Z[ ]. 

For 1 < < , the dealer computes 

Si = /( ) mod m. (1) 



This number Si is the secret key share SKi of player . 

We denote by „ the subgroup of squares in Z* . 

Next, the dealer chooses a random v € „, and for 1 < < computes Vi = 

v^' G These elements define the verification keys: VK = v, and VKi = Vi. 



Some Preliminary Observations. Note that Z* ~ Z^ x Z 2 x Z 2 . If we let 
Jn denote the subgroup of elements G Z* with Jacobi symbol ( |n) = 1, then 
we have „ C C Z* ; moreover, „ is cyclic of order m and is cyclic of 
order 2m. Also, — 1 G „. 

Generally speaking, we shall ensure that all group computations are done 
in „, and corresponding exponent arithmetic in Z^. This is convenient, since 
m = ' ' has no small prime factors. 

Since the dealer chooses u G n at random, we may assume that v generates 
„, since this happens with all but negligible probability. Because of this, the 
values Vi completely determine the values Si mod m. 

For any subset of points in {0 . . . }, the value of /( ) modulo m at these 

points uniquely determines the coefficients of /( ) modulo m, and hence the 
value of /( ) modulo m at any other point modulo in {0 ... }. This follows 

from the fact the corresponding Vandermonde matrix is invertible modulo m, 
since its determinant is relatively prime to m. 

From this, it follows that for any subset of — 1 points in {1 ... }, the 

distributions of the value of /( ) modulo m at these points are uniform and 
mutually independent. 

Let = !. For any subset of points in {0 . . . }, and for any G 

{0 . . . }\ , and j G , we can define 



xS ^ nj'gs\{j}( -/) 



(2) 



These values are derived from the standard Lagrange interpolation formula. They 
are clearly integers, since the denominator divides j!( — j)! which in turn divides 
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!. It is also clear that these values are easy to compute. From the Lagrange 
interpolation formula, we have: 

■ niod m. (3) 

jes 

Valid Signatures. We next describe what a valid signature looks like. We need 
a hash function mapping messages to elements of Z* . If = ( ), then a 

valid signature on is G Z* such that ® = . This is just a classical RSA 

signature. 

Generating a Signature Share. We now describe how a signature share on a 
message is generated. Let = ( ). The signature share of player consists 



along with a “proof of correctness.” 

The proof of correctness is basically just a proof that the discrete logarithm 
of ? to the base 



is the same as the discrete logarithm of Vi to the base v. For this, we can easily 
adapt a well-known interactive protocol, due to Chaum and Pedersen [CP92]. 
We “collapse” the protocol, making it non-interactive, by using a hash function 
to create the challenge — this is where the random oracle model will be needed. 
We also have to deal with the fact that we are working in a group „ whose order 
is not known. But this is trivially dealt with by just working with sufficiently 
large integers. 

Now the details. Let L{n) be the bit-length of n. Let ' be a hash function, 
whose output is an Li-bit integer, where Li is a secondary security parameter 
{Li = 128, say). To construct the proof of correctness, player chooses a random 
number G {0 ... — 1}, computes 



= '(t 



? v' ' 



) = 



The proof of correctness is ( ) . 

To verify this proof of correctness, one checks that 






The reason for working with | and not i is that although i is supposed to be 
a square, this is not easily verified. This way, we are sure to be working in „, 
where we need to be working to ensure soundness. 

Combining Shares. We next describe how signature shares are combined. Sup- 
pose we have valid shares from a set of players, where = { i . . . fc} C 

{1 ... }. 
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Let = ( ) G Z* , and assume that Then to combine shares, 

we compute 

9 \ S 9 \ 

W = ’ ^ . . . . 

where the A’s are the integers defined in (2). From (3), we have w® = ® , where 

'=4 (6) 

Since gcd( ' ) = 1, it is easy to compute such that ® = , using a standard 
algorithm: = ^ where and are integers such that ' + =1 which 

can be obtained from the extended Euclidean algorithm on ' and . 

4 Security Analysis of Protocol 1 

Theorem 1. For = t + 1, in the random oracle model for ' , Protocol 1 is 
a secure threshold signature scheme (robust and non-forgeable) assuming the the 
standard RSA signature scheme is secure. 

We show how to simulate the adversary’s view, given access to an RSA signing 
oracle which we use only when the adversary asks for a signature share from an 
uncorrupted player. 

Let 1 ... fc-i be the set of corrupted players. Recall Sj = /( ) mod m for 
all 1 < < , and = /(O) mod m. 

To simulate the adversary’s view, we simply choose the Si^ belonging to the 
set of corrupted players at random from the set {0 ... [n/4j — 1}. We have 
already argued that the the corrupted players’ secret key shares are random 
numbers in the set {0 . . . m — 1}. We have 

n/4 — m = ( '+ ')/2+l/4= 

and from this a simple calculation shows that the statistical distance between 
the uniform distribution on {0 ... [n/4j — 1} and the uniform distribution on 
{0 . . . m — 1} is 

Once these Si^ values are chosen, the values Si for the uncorrupted play- 
ers are also completely determined modulo m, but cannot be easily computed. 
However, given G Z* with ® = , we can easily compute i = for an 

uncorrupted player as 

_ 2(A®Q-|-e(AF^SijH )) 

i — 

where = {0 i . . . fc-i}. This follows from (3). 

Using this technique, we can generate the values v vi . . . vi, and also gen- 
erate any share i of a signature, given the standard RSA signature. 

This argument shows why we defined the share i to be instead of, say, 

. This same idea was used by Feldman [Fel87] in the context of the different 
but related problem of verifiable secret sharing. 
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With regard to the “proofs of correctness,” one can invoke the random oracle 
model for the hash function ' to get soundness and statistical zero-knowledge. 
This is quite straightforward, but we sketch the details. 

First, consider soundness. We want to show that the adversary cannot con- 
struct, except with negligible probability, a proof of correctness for an incorrect 



share. Let 


and 


i be given, along with a valid proof of correctness ( ). We 


have = 


'(u ' 


Vi f v' '), where 






' = 44 v' = v^v-^ ' = 


Now, ~ Vi 




' are all easily seen to lie in „, and we are assuming that v 


generates 


n- So 


we have 






~ = V°‘ Vi = v“^ 1 = v^ v' = v^ ' = v^ 



for some integers 7 . Moreover, 

— Si = 7 mod m and — = mod m. 

Multiplying the first equation by and subtracting the second, we have 

( — Si ) = 7 — mod m. ( 7 ) 

Now, a share is correct if and only if 

= Si mod m. (8) 

If (8) fails to hold, then it must fail to hold mod ' or mod ', and so ( 7 ) uniquely 
determines modulo one of these primes. But in the random oracle model, the 
distribution of is uniform and independent of the inputs to the hash function, 
and so this even happens with negligible probability. 

Second, consider zero-knowledge simulatability. We can construct a simulator 
that simulates the adversary’s view without knowing the value Sj. This view 
includes the values of the random oracle at those points where the adversary has 
queried the oracle, so the simulator is in complete charge of the random oracle. 
Whenever the adversary makes a query to the random oracle, if the oracle has 
not been previously defined at the given point, the simulator defines it to be 
a random value, and in any case returns the value to the adversary. When an 
uncorrupted player is supposed to generate a proof of correctness for a given , 
i, the simulator chooses G {0 ... 2^^ — 1} and G {0 ... — 1} at 

random, and for given values and i, defines the value of the random oracle 
at {v ~ Vi f v^v~‘^ to be . With all but negligible probability, the 

simulator has not defined the random oracle at this point before, and so it is 
free to do so now. The proof is just ( ). It is straightforward to verify that the 

distribution produced by this simulator is statistically close to perfect. 

From soundness, we get the robustness of the threshold signature scheme. 
From zero-knowledge, and the above arguments, we get the non-forgeability 
of the threshold signature scheme, assuming that the standard RSA signature 
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scheme is secure, i.e., existentially non-forgeable against adaptive chosen message 
attack. This last assumption can be further justified (see [BR93]): in the random 
oracle model for , this assumption follows from the RSA assumption — given 
random S Z* , it is hard to compute such that ® = . 



5 Protocol 2: A Modification and Secnrity Analysis when 
fc > t + 1 



We now present Protocol 2 and analyze its security when > t + 1. In our 
analysis of Protocol 2, we need to make use of the random oracle model in a 
fundamental way. As such, we fully exploit the random oracle model to get a 
scheme that is a bit simpler and more efficient that Protocol 1. 

Protocol 2 is obtained by modifying Protocol 1 as follows. 

Instead of computing the secret key share Si as in (I), the dealer computes 
it as 

■Si = /( ) mod m. 

We add to the verification key VK an element u G Z* with Jacobi symbol 
{u\n) = —1. Note that the Jacobi symbol can be efficiently computed, and such 
a u can be found just by random sampling. 

We then modify the share generation algorithm as follows. Let ' = ( ). 

We set 

( 'u® if ('|n) = —1. 

This forces the Jacobi symbol of to be 1. The share generation, verification, 
and combination algorithms then run as before, using this new value of , except 
that we make the following simplifications: we redefine i, ~, and ' (defined in 
(4), (5), and (6)) as 

Thus, we eliminate the somewhat “artificial” appearances of in the share 
generation and combination algorithms. 

The original share combination algorithm produces such that ® = .If 
= "u®, then we can divide by u, obtaining an th root of ( ), so we still 

obtain a standard RSA signature. 

That completes the description of Protocol 2. 

To analyze the security of Protocol 2, we will need to work in the random 
oracle model for . The intractability assumptions we will need to make are 
then as follows: 

— The RSA assumption — it is hard to compute such that ® = , given 

random G Z*; 

— The Decision Diffie-Hellman (DDH) assumption — given random G «, 

along with “ and ^ it is hard to decide if = mod m. 




Practical Threshold Signatures 217 



We make our DDH assumption a bit more precise. For G G Z^, 

and G {0 1}, define 




The DDH assumption states that for random G and random 
as above, it is hard to compute — with negligible error probability — given 
“ ( )• 

Note that this is an average-case complexity assumption. It is equivalent 
to a worst-case complexity assumption, by a standard “random self reduction” 
argument [Sta96,NR97], provided the inputs are restricted in the following way: 
and should generate „, and gcd( — m) ^ { ' '}. 

Note that the DDH is a reasonable assumption here, since the group „ has 
no small prime factors [Sho97]. 

By a standard “hybrid” argument (see [NR97]), the above DDH assumption 
is equivalent to the following: the distributions 

^ O'! 0'S . ds ^ 

and 

^ ai a,e. bi 

are computationally indistinguishable. Here s is any (small) number, and 
are random elements of „, and the i’s and j’s are random numbers modulo 
m. Note that it is possible to prove the same equivalence using the random 
self-reducibility property of the DDH (see [Sho99] or [BBMOO]). 

Theorem 2. In the random oracle model for and ' , under the RSA and 
DDH assumptions Protocol 2 is a secure threshold signature scheme (robust and 
non-forgeable) for > t + 1; moreover, when = t + 1, the same holds under 
the RSA assumption alone. 

The proof of the robustness property goes through as before. We focus here 
in the proof of non-forgeability. 

The reason we need the DDH assumption is the following: when t -I- 1, 
some honest players may have to generate shares for the “target” message, and 
we need the DDH to allow us to generate “dummy” shares in this case. 

The random oracle model for will allow the simulator to choose the outputs 
of as it wishes, so long as these outputs have the right distribution. 

We now describe a series of simulators. 

The First Simulator. The simulator chooses the shares for the corrupted play- 
ers Sjj ... Sij as random numbers chosen from {0 . . . [n/4j — 1}, just as it did 
in the previous section. 

Let be random elements in „. Here, t+i ■ ■ ■ fc-i are 

arbitrary indices of uncorrupted players. We assume that all of these group ele- 
ments are generators for „, which is the case with all but negligible probability. 
The values implicitly define modulo m by the 

equation i. = . 
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We next show how to sample from the distribution 

1 ■ ■ ■ /■ 

We choose G {0 ... [n/4j — 1} at random, and i 2 G {0 1} at random. 
We set ' = ( 1)^2, thus defining the corresponding value to be 

( ®(— 1)'’^. For one of the uncorrupted players j G { t+i ... fc-i}, we have 

sj = { For other uncorrupted players , we can compute i as 

^ ^24eA®,^_^ 

where = {0 1 . . . fc-i}. Again, this follows from (3). 

We can generate values in this way so that " is the output of the random 
oracle . We can also generate the verification keys v vi . . . u/ in basically the 
same way. 

This simulator generates ' in this way for every random oracle query, so we 
will not be able to break the RSA problem with this simulator (this is only the 
first step). 

It is easy to see that this simulation is statistically close to perfect. The 
one thing to notice is that ' is nearly uniformly distributed in Z* . The proof 
of this utilizes the fact that every element in Z* can be expressed uniquely as 
1)^^, for G {0 ... m— 1}, and 1 2 G {0 1}. 

The Second Simulator. This simulator is the same as the first, except as 
follows. Let and be random elements in „. 

This simulator “guesses” which message will be forged by the adversary; that is, 
we can assume that the forged message is an input to the random oracle, and 
the simulator just guesses one of these queries is the “target” message. 

Everything is the same as before, except that when generating " 1 . . . i 

for the target message, the simulator performs the same calculations using the 
values instead of ” in the calculation. 

This simulation is no longer statistically indistinguishable from from the 
real game, but this is where we use the DDH assumption. On this assumption, 
with non-negligible probability, the adversary will still forge a message, and that 
message will be the selected target. 

Notice that the “correctness proofs” of the shares can be still be simulated 
using the random oracle model for ' just as before — the fact that the statement 
being “proved” is false is interesting, but irrelevant. 

The Third Simulator. This simulator is the same as the first, except as fol- 
lows. Let be a random element in Z* . For the target message hash value, the 
simulator sets " = . Also, whenever the adversary asks for a signature share 

i on the target message from any uncorrupted player, the adversary simply 
outputs a random quadratic residue. The “correctness proofs” can still be simu- 
lated, just as before. If the adversary ever asks for more than —t — 1 signature 
shares on the target message, the simulator simply halts and reports an error. 




Practical Threshold Signatures 219 



It is easy to see that the distribution of this simulation is identical to that of 
the second simulation, provided the adversary does not ask for too many shares 
of the target message. Indeed, because of the way the second simulator constructs 
the signature shares i from the uncorrupted players on the target message, any 
subset of — f — 1 of them is uniformly distributed in „, and independent of 
all other variables in the adversary’s view. So with non-negligible probability, 
the adversary will forge a signature on the target message, which means, in 
particular, the he does not ask for too many shares. Moreover, if he forges this 
signature, then he has computed an th root of in Z* , thus contradicting the 
RSA assumption. 

To complete the proof of the theorem, we simply note that when = t + 1, 
the DDH is not needed at all in the above arguments. 
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Abstract. We put forward two new measures of security for threshold 
schemes secure in the adaptive adversary model: security under con- 
current composition; and security without the assumption of reliable 
erasure. Using novel constructions and analytical tools, in both these 
settings, we exhibit efficient secure threshold protocols for a variety of 
cryptographic applications. In particular, based on the recent scheme 
by Cramer-Shoup, we construct adaptively secure threshold cryptosys- 
tems secure against adaptive chosen ciphertext attack under the DDH 
intractability assumption. Our techniques are also applicable to other 
cryptosystems and signature schemes, like RSA, DSS, and ElGamal. 
Our techniques include the first efficient implementation, for a wide but 
special class of protocols, of secure channels in erasure-free adaptive 
model. 

Of independent interest, we present the notion of a committed proof. 



1 Introduction 

Overview. The idea of threshold cryptography [Des87,DF89] is that a highly 
sensitive operation such as decryption or signing, can be performed by a group of 
cooperating servers in such a way that no minority of servers are able to perform 
the operation by themselves, nor are they be able to prevent the other servers 
from performing the operation when it is required. Thus, threshold protocols 
implement trusted entities, based on the assumption that only a fraction of a 
given set of dedicated servers can become corrupted. However, it is a challenging 
task to design protocols that are secure in the face of realistic attacks against the 

* This extended abstract is a concise presentation of two independent results by 
Lysyanskaya [LysOO] and Jarecki and Lysyanskaya [JLOO]. Lysyanskaya [LysOO] in- 
troduces the concurrent model, presents the notion of a committed proof, and con- 
structs threshold schemes secure against the adaptive adversary in the concurrent 
model; Jarecki and Lysyanskaya [JLOO] introduce the erasure-free model, and present 
threshold schemes secure against the adaptive adversary in this model, including the 
efficient implementation of secure channels. 

** Part of this research was carried out while the author was visiting IBM Zurich 
Research Laboratory. 
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servers. In the present extended abstract we consider two such attacks for which 
no previous threshold schemes can be proven secure. The two attacks correspond 
to two quite limiting assumptions which were necessary for the previously known 
solutions, and which consequently hindered their applicability. 

We consider a concurrent attack where the adversary tries to get an advantage 
by participating in several concurrent executions of the threshold protocol. Since 
previous schemes were not provably secure in this adversarial model, they were 
limited to sequential execution synchronized among all servers. We also consider 
an attack in which the entire history of a server’s computation is recorded and 
becomes available to an adversary that corrupts this server. Since no schemes 
were provable in this model, they had to be executed on servers that could 
reliably erase their data. For both of these adversarial models, we devise novel 
techniques that allow us to implement efficient protocols that withstand them. 
We exemplify these techniques with threshold implementations of the Cramer- 
Shoup cryptosystem [CS98], which achieves the highest known level of security: 
security against adaptive chosen ciphertext attack. Furthermore, our techniques 
also yield efficient concurrent or erasure-free adaptively secure solutions to other 
schemes like RSA, DSS, and ElGamal. 

History. For a long time, we knew only how to design threshold protocols secure 
in the so-called static adversary model where the adversary fixes the players that 
will be corrupted before the protocol starts. Recently, Canetti et al. [CGJ’^99a] 
and Frankel et al. [FMY99a-b] exhibited the first threshold schemes secure and 
robust against the stronger and more realistic adaptive adversary, who chooses 
which players to corrupt at any time and based on any information he sees dur- 
ing the protocol. These results are important since it is known that the adaptive 
adversary is strictly stronger than the static one [GFGN96,Gan98,GDD+99]. 
However, none of these adaptively secure protocols remained secure under con- 
current composition, and they all required erasures. In addition, the cryptosys- 
tems and signature schemes implemented by these threshold schemes are not 
known to be provably secure under adaptive chosen ciphertext attack/adaptive 
chosen message attack. We remark that even though general multi-party com- 
putation results guarantee adaptive erasure-free distributed function evalua- 
tion [BGW88,GGD88,GDD+99,GFGN96], implementing threshold cryptography 
via these general techniques is impractical. 

General Model. We consider a network of n players and an adaptive adversary 
that can corrupt up to a minority t < nj2 oi the players. The players have access 
to a reliable broadcast channel, there are insecure point-to-point links between 
each pair of them, and the message delivery is partially synchronous. 

Concurrent Model. We consider the concurrent setting, where many invoca- 
tions of possibly the same threshold cryptosystem or signature scheme can be 
executed at the same time, and each of them must remain secure. This previ- 
ously unexplored setting models an important property of threshold systems: 
the possibility of executing several protocols at the same time. 
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Erasure-Free Model. All of the threshold systems mentioned so far are im- 
plemented using erasures. That is to say, they are only secure if honest players 
can erase local data once it is no longer needed. However, secure erasure is hard 
to achieve in practice. On the hardware level, it is difficult to permanently erase 
information from hardware storage devices. On the system maintenance level, 
the need to erase data complicates standard computer system bookkeeping and 
backup procedures. Most serious problems arise on the operating systems level, 
since in order to securely erase the data, one needs to erase it from all the 
caches and from the part of the hard drive that was used for page swaps, etc. 
Di Crescenzo et al. [CFIJ99] discuss this problem and suggest a solution that 
enables erasures based on the assumption that some area of memory can indeed 
be securely erased. In contrast, we show that in the adaptively secure threshold 
setting it is possible to get rid of the need of secure data erasure altogether. We 
thus examine an erasure-free model, in which the adversary is effectively allowed 
to examine the entire history of the computation of a party it corrupts. 

Techniques of Independent Interest. We introduce the notion of a commit- 
ted proof, i.e. a zero-knowledge proof of an unknown statement [LysOO]. It was 
not known before that it was possible to prove a statement without revealing 
it to the verifier until the very last round of communication. Here we use such 
committed proofs to achieve threshold cryptosystems adaptively secure in the 
concurrent model. Another useful technique of independent interest that we put 
forward as an implementation of secure channels in the erasure-free model is 
our receiver-non-committing encryption scheme [JLOO]. A non-committing en- 
cryption scheme has a property that there is a way to generate messages that 
look like ciphertexts but do not commit the players to any particular plaintext. 
We give a simple and efficient encryption scheme that is non-committing for the 
receiver under the decisional Diffie-Hellman intractability assumption. 

Organization. In Section 2 we give an overview of our results and the most 
important techniques which allow us to achieve them. In Section 3 we present 
the notion and an implementation of a committed proof. Section 4 presents 
our non-committing encryption scheme. We then present our adaptive threshold 
protocols: Section 5 describes the basic building blocks of our solutions; sec- 
tions 6 and 7 exemplify our techniques with two threshold implementations of 
the Cramer-Shoup cryptosystem: (1) an erasure-enabled protocol secure in con- 
current composition; (2) an erasure-free protocol which is concurrently secure 
only under certain restrictions. For a more thorough treatment of our results 
pertaining to the concurrent model and to committed proofs, see the work of 
Lysyanskaya [LysOO] . For a more thorough treatment of our results pertaining to 
the erasure- free model and non-committing encryption, see Jarecki and Lysyan- 
skaya [JLOO]. 
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2 Overview of Our Concurrent and Erasure-Free 
Protocols 

Definitions and Goals. A threshold cryptosystem or signature scheme im- 
plemented by n players with threshold t is said to be secure if the view of the 
adversary that corrupts up to t players does not enable him to compute decryp- 
tions or signatures on his own. A threshold scheme is said to be robust if, no 
matter what the corrupted t players do, the remaining (i.e. honest) players still 
output a valid decryption or signature. (For formal definitions of security and 
robustness, see previous work [SG98,CG99,CGJ+99b].) 

A standard technique of proving security of a threshold cryptosystem (or a 
signature scheme) is to exhibit a simulation algorithm which, without access to 
any secret information but with an oracle access to the single-server realization 
of the underlying cryptosystem, furnishes the adversary with the correct view of 
the execution of the threshold protocol. Thus, by exhibiting such simulator, we 
reduce the security of the threshold version of a cryptosystem to the security of 
its single-server counterpart. 

A corresponding standard technique for proving robustness of a threshold 
scheme is to exhibit a knowledge extractor which plays the part of the honest 
players in the protocol, and in case the adversary succeeds in inducing the honest 
players into producing an invalid output, it extracts from the adversary’s behav- 
ior a solution to some hard problem. Thus again, by exhibiting such extractor, 
we reduce the robustness of our threshold protocol to some standard hardness 
assumption. 

Previous Adaptively Secure Solutions. The task of strengthening statically- 
secure protocols to handle an adaptive adversary contains a following difficulty: 
To compute an instance of a certain function robustly (we abstract from whether 
the function is a signature or a decryption), say an exponentiation function 
A=m“ on instance m, where a is secret-shared, the players must publish some 
partial results of this function, say values Ai=m°‘* where Oi’s are the polynomial 
shares of a. In the static model, since the group of corrupted players is fixed, 
without knowing a, on the input A=m°‘ received from the function oracle (see the 
definitions paragraph above), the simulator can produce the view of the protocol 
that outputs A by picking the shares of the corrupted players and using them 
to interpolate values Ai of the honest players. However, in the adaptive model, 
such simulation fails because the simulator cannot publish Ai’s for the honest 
players and then be able to open the values ai s.t. m°‘*=Ai for any t-sized group 
of players that the adaptive adversary chooses to corrupt: That would imply the 
knowledge of more than t shares at, and hence the knowledge of a. 

Recent adaptively secure protocols [GGJ+99,FMY99a-b] have overcome this 
difficulty with the following ideas: i) Value A can be reconstructed if every player 
publishes Ai = where Ui is its additive share of a, i.e. '^ai=a; ii) Robust- 
ness, previously guaranteed via “interpolation in the exponent” of values Ai, is 
achieved via generation of Pedersen’s commitments along each share Oj, 

and with zero-knowledge proofs that show that corresponds to the commit- 
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ted value. Because the shares are additive, the simulator can reveal a consistent 
internal state Oi for all but one of the players it controls. If that single inconsistent 
player is corrupted, which happens with at most 1 /2 probability, the simulation 
is rewound to the beginning of this instance of the function application. Thus 
the simulation of a single instance succeeds after expected two trials. However, 
since such rewinding must be constrained to within the single instance of the 
function application (see the overview discussion of Canetti et al. [CGJ+99a]), 
the additive shares at used in this protocol must be erased (resharing must be 
performed to enable the application of the function on a new instance), so that 
the simulator will know again the proper internal state of that player: He simply 
no longer needs to show the information that he cannot produce. 

Concurrent Adaptive Security with Committed Proofs. Our first obser- 
vation about the above reasoning is that there might be no inconsistent player 
during the simulation at all, if the “compromising” share Oj can be erased before 
the partial result Ai is published. Since there would be no inconsistent players, 
the simulator would never have to rewind, and hence concurrent executions of 
such threshold protocol can be simulated and thus proven secure. However, how 
can we achieve robustness if a player is to erase its share Oj before publishing 
Ai? We show that it is indeed possible by devising a novel tool of a committed 
zero-knowledge proof (see Sec. 3), where a statement that needs to be proven, 
e.g. “Ai and contain the same value Oj”, is revealed only after the proof 

ends. In particular, it can be revealed after the witness ai needed to prove the 
above statement is erased. This committed proof technique can thus be applied 
to transform, with negligible increase in communication complexity, the adap- 
tive DSS and RSA solutions [CGJ+99,FMY99a-b], as well as other protocols like 
threshold ElGamal, to concurrently secure adaptive solutions. 

We further observe that by providing robustness while eliminating all incon- 
sistent players in the above way, the committed proof technique can actually 
transform, in the erasure-enabled setting, a very general class of statically secure 
threshold protocols into adaptively and concurrently secure ones (see Lysyan- 
skaya [LysOO] for more discussion). In Section 6 we exemplify the generality of 
these techniques with a threshold Gramer-Shoup cryptosystem. 

Erasure-Free Adaptive Security with Persistently Inconsistent 
Players. Our second observation is that in the above simulation 
[GGJ“*'99,FMY99a-b] a random inconsistent player need not be picked in a sim- 
ulation of each instance of the function application protocol. Instead, it can pick 
some player at the beginning of the simulation process, and use that player as 
a single persistently inconsistent player in a simulation of each instance of the 
function application. If that player is ever corrupted, the simulation fails, but 
since that happens only with at most 1/2 probability, such simulation still es- 
tablishes a reduction from the security of the threshold protocol to the security 
of the underlying cryptosystem or signature scheme. If we can show that indeed 
this single player is the only player whose internal state held by the simulator is 
inconsistent with the adversary’s view of the protocol, then our protocols do not 
have to resort to erasure, and hence they are secure in the erasure-free model. 
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We achieve this goal in two steps: First we remove the need to erase on the 
protocol level, by which we mean that the resulting scheme is secure in erasure- 
free model if it is implemented over secure channels. We do this, in general, by 
using additive sharing instead of polynomial sharing throughout the threshold 
protocols. Secondly, for the threshold protocols that need secure channels, we 
need to devise an encryption that implements the secure channels abstraction 
in the adaptive erasure-free model. This is an intriguing and non-trivial task, 
and the solution of non- committing encryption for the receiver which we provide 
in Section 4 is better than the available solutions [CFGN96,Bea97] of general 
non-committing encryption because it does not introduce any non-negligible 
communication overhead. The reason why non-committing encryption for the 
receiver only is sufficient is because not only is our simulator able to reveal, at the 
time of corruption, the history of computation of all players it controls except the 
persistently inconsistent one, but he already knows the values of all messages sent 
by these players at the time the messages are sent. These techniques yield efficient 
adaptive non-erasing protocols for DSS, RSA, and ElGamal (additionally, our 
methods lead to a dramatic reduction in the cost of adaptive RSA [JLOO]). In 
Section 7 we exemplify them with a threshold Gramer-Shoup cryptosystem. 

Finally, we remark that since the simulators in our erasure-free protocols are 
also non-rewinding (although they have 1/2 probability of faiure), a concurrent 
execution of any number of instances of such protocols is secure if, for example, 
they are executed by dedicated players (see [JLOO] for more details). 

3 Adaptive, Concurrent Security via Committed Proofs 

In this section, we present the notion of a committed proof [LysOO], which is 
a zero-knowledge proof that is carried out in a committed form. The verifier 
does not learn the statement that is being proven until the very last round 
of the protocol. As discussed in section 2, this technique gives a general tool 
that transforms statically secure threshold protocols to adaptively secure ones, 
with the additional property that their security is preserved under concurrent 
composition. 

Suppose we are given a following three-step public-coin honest- verifier zero- 
knowledge proof of knowledge system Z [BG92] for language L: 

1. The proof system has perfect completeness and soundness 

2. The prover’s input is x G L, a, witness w, and some randomness r. 

3. The random coins R are tossed after the prover issues the first message. 

4. Algorithms Pi{x, w, r), and P 2 {x, w, r, R) generate the first and second mes- 
sages of the prover. 

5. The verifier runs algorithm Ver{x,m\^ R^mf) to determine whether to ac- 
cept or reject. 

6. The simulator algorithm SIM used for proving the zero-knowledge prop- 
erty of Z, has the property that for all inputs R e {0, 1}^, it generates 
an accepting transcript (mi,i?, m 2 ) indistinguishable from a transcript of a 
conversation with the real prover. 
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7. The knowledge extractor algorithm KE for Z has the property that, for some 
constant c, on input {x, mi, R,R',... , R^'^\ m 2 , m^, . . . , such that R yf 
R' yf ... yf and V er accepts all transcripts (a;, mi, i?, m 2 ), 

18070221 (a;, mi, i?', m^), ..., (a;, mi, KE outputs a witness w 

with probability 1 — neg(k). 

Such proof systems exist for all languages in NP, by a witness-preserving re- 
duction to Hamiltonian cycles [Gol95]. In particular, for proving knowledge or 
equality of discrete logarithms or representations, such proof systems have per- 
fect simulations and are well-studied and efficient [Bra99,Cam98]. 

Suppose that x for which the prover is demonstrating membership in L is 
unknown to the verifier. However, the verifier knows the distribution T> from 
which X has been sampled. Moreover, T> has the property that there is an effi- 
ciently samplable joint distribution (W, T>) from which pairs (w, x) are sampled, 
such that w is a witness for the statement x & L. For example, x can be a tuple 
{Gq, g, h, y) and statement x G L means that y is an element in Gq that can 
be represented in bases g and h. When we sample T>, we can first generate a 
random a, /3 G Z^, then and then set w = {a, (i), and y = g°‘h^. 

Suppose we are given a trapdoor commitment scheme, i.e. a commitment 
scheme that has the property that for any instance of the commitment scheme, 
there exists a trapdoor a the knowledge of which enables to open any commit- 
ment to an arbitrary value within some given domain. 

For example, consider Pedersen commitment: an instance is a group Gq of 
order q in which the discrete logarithm problem is hard, with generators g and 
h and a collision-resistant hash function H : {0, 1}* ^ Z*. The trapdoor ct = 
logg ft-. To commit to x, choose a random r and output To open the 

commitment, reveal x and r. If <t is known, it is easy to see that a commitment 
can be opened to any x. Note that if we are not given a collision-resistant hash 
function, then the prover can still commit to his input x and the first message 
of the proof, but this commitment will have to use some special encoding of x 
and will be larger. 

How can we create a simulator such that a is known to it? In multi-party 
systems, we can have an instance of the commitment scheme generated as part 
of the set-up for the system; then it will follow from the properties of multi-party 
computation that a simulator will know a. We will discuss such a protocol in 
section 5.1. In two-party protocols, a can be a value known to the verifier, but 
not the prover; the simulator with black-box access to the verifier will then have 
to extract a from the verifier. 

Using trapdoor commitments, the prover can execute the proof without re- 
vealing X to the verifier until the very end of the proof. Consider the protocol in 
figure 1 between a prover and a verifier. The protocol uses Pedersen commitment, 
but any trapdoor commitment can be used instead. 

Note (Completeness): We get completeness for free from proof system Z. 
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Common inputs: {Gq,g,h): an instance of Pedersen commitment. 

Prover’s inputs: statement x £ T>, witness w, random input r. 

Verifier’s goal: obtain x s.t. prover knows a witness to “a; £ L." 

P — > V Prover computes mi = Pi{x,w,r), chooses random ri and sends 
Ml =3 (-.-i)/!-!. 

P « — V Verifier tosses random coins R and sends them to the prover. 

P — > V Prover computes m2 = P^ix, w, r, R), chooses random r2 and sends 
M2 = g Prover erases w. 

P — > V Prover sends x, mi, m2, ri, r2, i.e. opens commitments Mi, M2. 
Acceptance: The verifier accepts if Mi is a valid commitment to x and mi , 
M2 is a valid commitment to m2, and Ver{x, mi, R, m2) accepts. 

Fig. 1. Committed proof 



Lemma 1. (Zero-Knowledge) This protocol is zero-knowledge for any veri- 
fier. 

Proof: The lemma follows from the fact that for a simulator that knows logg h, 
the commitments Mi and M2 are not binding, and so the simulator can reveal 
X, message mi and response m2 in the very end, when it already knows the 
challenge R, by property 6 of proof system Z. □ 

Note: Notice that the original proof system Z was zero-knowledge for the 
public-coin model only, while the proof system we obtain is zero-knowledge for 
any verifier. (We achieve this because of a preprocessing step that generates h.) 

Lemma 2. (Concurrent Composition) This protocol remains secure when 
executed concurrently (i.e. with an arbitrary interleaving of steps) with arbitrarily 
many invocations of itself or of any other concurrently composable protocols. 

Proof: The lemma follows from the fact that the above simulator that exhibits 
the zero-knowledge property does not need to rewind the verifier. □ 

Lemma 3. (Soundness and Knowledge Extraction) If the discrete loga- 
rithm problem is hard, and the hash function TL : {0, 1}* ^ Zg* is collision- 
resistant, then for this protocol there exists a polynomial-time knowledge ex- 
tractor such that if the verifier accepts with non-negligible probability, then with 
probability l — neg{k) the knowledge extractor learns the witness w for x that the 
prover possesses. 

Proof: We will exhibit a knowledge extractor which, with black-box access to 
the prover that induces the verifier to accept with non-negligible probability, 
either extracts a witness for x or computes the discrete logarithm of h to the 
base g, or finds a collision in H. Clearly this is sufficient to prove the lemma. 

The extractor runs the prover and obtains the x, as well as mi, R, m2 and 
Ml, ri, M2, V2. Now the extractor rewinds the prover to step 3 of the protocol 
and issues a challenge R' yf R. Running the protocol to the end allows the verifier 
to obtain x' , as well as m), m^, r(, and M^. Note that since the prover replies 
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with non-negligible probability, with enough rewindings, we will get as many 
replies from him as the knowledge extractor KE oi proof system Z may need. 

Suppose X ^ x' . Then either x = H{x,mi) ^ H{x',m[) = x' or we have 
found a collision in the hash function. If the latter, we have the desired contra- 
diction. Otherwise, = M\ = g^ h’’i, and so we can compute log^ h. 

Now suppose X = x' . Then, by the same argument as above, mi = m'l or 
we find a collision or compute discrete log. Then since m 2 is a valid response to 
challenge R and so is m^ to challenge R' , it follows from the fact that Z is a 
proof of knowledge that we can extract a witness for x by using KE. □ 

Finally, lemma 4 below is the key to why a committed proof is instrumental 
for designing protocols that are secure against the adaptive adversary. It captures 
the counter-intuitive fact that the prover can be attacked in the middle of the 
proof, but the adversary still learns nothing, i.e. the zero-knowledge property of 
the whole game is retained! The only condition required is that the distribution 
(W, T>) that captures the adversary’s a priori information about the distribution 
that X and witness w come from, be efficiently samplable. 

Lemma 4. (Security against Corruption) If the prover is corrupted by the 
adversary in the middle of the proof, every thing that the adversary learns can be 
accomplished either by revealing x, or by sampling (W, V) . 

Proof: We prove the claim by exhibiting a simulator S which generates the 
adversary’s view of the corruption. Suppose the adversary decides to corrupt 
the prover just before the end of step 3. Then S samples (W, V) and obtains a 
witness w' for an a;'. 5 the generates a random r and, using trapdoor a = logg h 
computes m( = Pi{x,w,r) and such that Mi = g^^^ as well as 

m '2 = P 2 {x, w, r, R) and such that M 2 = Reveal w', x', r, r[, to 

the adversary. These values are distributed correctly since w' and x' come from 
distribution (W,I?) and r, r[, are all random values. 

Suppose the adversary decides to corrupt the prover at some step before the 
end of step 3. Then it is clear that S will just have to reveal a subset of the 
values above (depending on whether Mi and M 2 have been issued yet). 

Suppose the adversary corrupts the prover after the end of step 3, i.e. after 
w was erased. Since w is erased, the adversary learns nothing more than what 
the verifier can learn. Thus, S just runs the simulator we have constructed for 
proving the zero-knowledge property. □ 

As we will see in section 6, this property of a committed proof allows us to cre- 
ate a perfect and never failing simulation of the adversary’s view, which implies 
full concurrency of the erasure-enabled threshold cryptosystems we propose. 



4 Implementing Secure Channels without Erasures 

In erasure-enabled adaptive threshold cryptosystems (for example our threshold 
Cramer-Shoup of Sec. 6) we can assume secret communication between players 
because they can be implemented in that model with an inexpensive technique 
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due to Beaver and Haber [BH92]. However, if erasures are not allowed, imple- 
menting secure channels is more complicated. The problem arises because the 
adversary can tap all the channels and see all the ciphertexts passed between 
players. When the adaptive adversary corrupts a party, he expects to see cleart- 
exts that correspond to the ciphertexts he has seen. Thus the adaptive adversary 
can potentially open any generated ciphertext. When instead of the honest play- 
ers, we have a simulator attempting to simulate the adversary’s view (recall that 
such simulator is needed to prove security), we cannot easily argue why the ad- 
versary does not learn anything from, paradoxingly, the ciphertexts that he does 
not get to open. This subtle problem, known as selective decommitment problem 
(see Dwork et al. [DNRS99]), arises, from our inability to reduce an adversary 
that does learn something from such view to semantic security of encryption. 
This problem can be solved with a non-committing encryption, i.e. an encryp- 
tion with an additional property that the ciphertext-looking messages sent by 
the simulator can be opened as any cleartexts, and hence contain no information. 

A general solution to this problem, due to Canetti et al. [CFGN96], requires 
O(fc^) communication for secure transmission of a single bit, where k is the secu- 
rity parameter. A less expensive technique under the decisional Diffie-Hellman 
requires 0{k) overhead and is due to Beaver [Bea97]. 

We present a conceptually simpler but less general encryption scheme E 
which, under the DDH assumption, is non-committing for the receiver only [JLOO] . 
Such encryption is custom-made for the persistently inconsistent pZaj/er paradigm. 
Namely, a simulator who sends the ciphertext-looking messages on behalf of the 
inconsistent player is able to open them freely if the adversary attacks any re- 
ceiver of these messages, i.e. anybody but the inconsistent player. Since our sim- 
ulation assumes that the adversary never corrupts that player anyway (which 
gives us 1/2 probability of success), such encryption is good enough for simu- 
latability of our protocols. The non-committing encryption we propose has only 
negligible communication overhead. 

if is a non-committing encryption scheme in the following sense: On the 
one hand, any properly encrypted message has a unique decryption. On the 
other, there is a procedure which, given a sender’s key and some trapdoor a, can 
produce special type of invalid ciphertexts, which, for any a G hq, can be opened 
as an encryption of m = This is achieved because there are q possible secret 
keys that this procedure can reveal. Moreover, under DDH, it is impossible to 
distinguish the regular ciphertexts and the invalid ones produced by this special 
procedure. The ideas we use to implement this encryption E are similar to those 
of Cramer and Shoup [CS98]. 

Lemma 5. Under DDH, E is non- committing for the receiver. 

Proof: Suppose that Alice (the sender) and Bob (the receiver) are on the same 
side and both know a = log^ h and 2 = log^ P. Then they can compute an 
invalid ciphertext as follows: Pick ri yf r2 yf r^ at random, and let A* = , 

B* = g'"^, C* = g'"^. (A*,B*,C*) is not a valid ciphertext because ri yf r- 2 . 
If Bob is infiltrated, then for any rua = 5“, he can claim that this triple is an 
encryption of rUa, by showing a secret key (x*,y*) such that the decryption 




Adaptively Secure Threshold Cryptography 231 



Common system parameters: Group Gq, generators g and h. 

Bob selects: x,y G hq, Bob sends to Alice: P — g^h^. 

Alice: To transmit message m G Gq to Bob, Alice chooses r G Zq and sends 
A = g^, B = h^,G = P^m to Bob. 

Bob: Computes m = G/{A^ 

Fig. 2. Non-committing encryption scheme E 



algorithm outputs iria- He can do that by solving a system of linear equations: 
X* + y* a = z mod q and = rix* + V 2 y*a + a mod q. If ri yf X 2 this system 
must have a solution. Therefore, as long as a, a and z are known to Alice and 
Bob, they are not committed to the plaintext. 

We must now show that whether the ciphertext sent is valid or invalid as 
above the view of the adversary who is observing the conversation and may 
infiltrate Bob remains the same. Let us call the distribution that produces the 
tuples (P,A*,B*,C*) of the invalid form, S*{Gq, g,h). By S{Gq,g,h), we will 
denote the distribution that produces the tuples (P, A, B, G) where {A, B, G) is 
a valid ciphertext under key P. We will now show that £ and £* are computa- 
tionally indistinguishable under the DDH assumption. 

Suppose a DDH instance {g, u, v, w) is given. Our goal is to decide whether 
it was sampled according to distribution T> = {g, g^ , g* , g^*}{s,t] or according 
to distribution T>* = {5, 5 ^, 5*, Create the common information for 
the encryption scheme as follows: Choose values a and j3 such that h = g°‘u^ . 
Choose X and y and create P = g^h^. Choose some random a, b, r. Send {A, B, G) 
where A = {g°‘v^Y , B = and G = A^Bym. Note that if log^ w = 

loggUloggV (i.e. the DDH instance is from T>), then the view the adversary 
gets is from distribution £; otherwise the adversary’s view is from distribution 
£*. Thus, the adversary that distinguishes between £ and £* can be used to 
distinguish between T> and T>* . Therefore, under DDH, no such polynomial-time 
adversary exists. □ 

Lemma 6. If a multi-party protocol is secure against the adaptive adversary in 
the secure channel erasure-free model, and the simulator algorithm SIM* used 
to prove security produces a perfect simulation and is such that all but a con- 
stant number of players controlled by this simulator (i.e. the inconsistent play- 
ers) follow the protocol exactly, and all messages sent by all honest players can 
be prepared by the simulator at send-time such that (1) the inconsistent player’s 
messages are selected uniformly at random and (2) other players’ messages are 
distributed correctly in full consistency with whatever the simulator will open as 
this player’s internal state, then using encryption E results in a secure multi- 
party protocol in insecure channels (under the DDH assumption) . 

Proof Sketch: First we notice that, since the messages of the honest and con- 
sistent players are known to SIM* , the erasure-free simulator SIM that we 
need to construct just uses E to encrypt the right message from them all the 
time. Second, we note that since the messages of the inconsistent player can also 
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be prepared at send-time, the simulator can prepare sender’s key, receiver’s key, 
ciphertext tuples that would decrypt to these messages. 

Next, we notice that if SIM uses scheme S* for the inconsistent players, then, 
whether the simulator knows the secret inputs and follows the protocol (call that 
Viewi) or simulates it as SIM* would (call that View^), the adversary sees no 
difference in the view because the “ciphertexts” produced by £* are independent 
of the messages sent on the part of the sender. Now, assume that the simulator 
knows the players’ inputs and follows the protocol, but embeds an instance of 
DDH into the common system parameter h, as described in lemma 5, into the 
ciphertext-looking messages produced on the part of the inconsistent players. 
This construction creates information-theoretically independent samples of £ or 
£* based on the same instance of the DDH (call the view of the first distribution 
View^, and note that the second view is Viewi discussed above). Therefore, the 
adversary that differentiates these two distributions can be used to solve the 
DDH. Hence Views is the view of the protocol over the insecure channels, and 
V iew 2 is a view of a simulation, this protocol is secure. □ 

We note that this implementation of secure channels can only work for a special 
class of multi-party protocols, namely, the ones that satisfy the conditions of 
lemma 6. Thus, although it does not replace Beaver’s elegant scheme in general, 
it allows us to create efficient erasure-free adaptive protocols for many schemes 
that are important in practice, like RSA, DSS, ElGamal, and Cramer-Shoup. 

5 Common Building Blocks 

5.1 Set-Up: Generating an Instance of a Trapdoor Commitment 

Our protocols rely heavily on a discrete-log based trapdoor commitment scheme 
due to Pedersen: On instance (p, g, g, h), where h G Gq, a commitment to x G Zq 
is C = where x is picked at random in Zq. The value h that defines the 

commitment instance is generated jointly once and for all at the beginning of 
our protocols in such a way so that (1) the simulator can learn the trapdoor 
logg h of the chosen commitment; and (2) the simulator can embed another 
instance of the discrete log problem into the generated commitment by learning 
the representation of h in bases g, g of its choice. Option i) is used for proving 
secrecy, when knowledge of the trapdoor enables the simulator to always open 
the commitments of the players it controls in the way it chooses, which leads to 
efficient simulation of the protocols. Option ii) is used to prove robustness: If the 
adversary cheats in protocols that follow, the simulator can use such adversary to 
break an instance of the hard problem embedded in the trapdoor. When secure 
channels are present, h can be obtained by using general techniques of multi- 
party computation [BGW88,CDD+99]. When secure channel are not there, and 
implementing them by erasure is not an option, we can use another protocol, 
where each player generates his share hi of h, and then all players, in parallel, 
prove knowledge of logg hi to each other. This is in some respect similar to the 
solution of Frankel et al. [FMY99a-b]. Please see Jarecki and Lysyanskaya [JLOO] 
for the details. 
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5.2 Joint Random VSS and Distributed Coinflip 

In Figure 3, we include the well-known protocol Joint-RVSS [Ped91,GJKR99] for 
joint verifiable sharing of a random secret, which is a basic building block of our 
protocols. We give it here anew using notation that is useful for the presentation 
of the protocols that follow. 



Protocol: (on inputs group Gq, generators g, h) 

1. Each player Pi performs a Pedersen VSS of a random value Ui: 

(a) Pi picks t-deg. polynomials fa^z) = CikZ^, fai{z) = 

Let ai = fai (0) and a,i = fai (0) be the values shared by these polynomials 
Pi broadcasts Cik = for k — 0..t. Set Fai{z) = nl=o(^»fc)^ 

Pi sends to Pj shares Qp' = fatU), &ij = fa,i{j) for each j = l..n 

(b) Each Pj verifies if g°"'^ h°"^' = Fai{j) for i = l..n 

If the check fails for any i, Pj broadcasts a complaint against Pi 

(c) If Pj complained against Pi, Pi broadcasts Oij, o.ij\ everyone verifies it. 

If Pi fails this test or receives more than t complains, exclude Pi from Qiid 

2. Pi sets his polynomial share of the generated secret a as 

= Spj Quai their associated randomness as di = &ji 

We label the data structure created by this protocol as RVSS-datat,g,^[a]: 
Secret Information of each player Pit (well-defined for PidQtd,) 

- ai,a,i his additive shares of the secret and its associated randomness 

- fai , fdi t-degree polynomials he used in sharing his additive share 

- ai,&i his polynomial share of the secret and its associated randomness 

- aji,&ji his polynomial shares (and assoc, rand.) of faj,f&j for j = l..n 
Public Information: 

- the set Qvd C {Pi, .., P„} 

- verification function Fa '■ 'Zq —> hp (see the implicit information below) 

- verification functions Fai(z) = b) /j/aj (^) for Pi £ Qvd 

Secret Information Defined Implicitly (not stored by any player): 

- secret sharing t-degree polynomials fa{z),fd{z) s.t. Oi = fa{i), &i = fa{i), 
fa{z) = J2pi Q^/ai(«), /a(«) = Epi Q^/ai(«), and Pa(«) = 

- secret shared value a = fa{0) and its associated randomness a = /a(0) 

Fig. 3. Joint-RVSS creates a sharing RVSS-data[a] of random secret 

CL G 



Notation: We say that players generate RVSS-datat_g_^[a] if they execute this 
protocol with generators g, h and polynomials of degree t. We index the data pro- 
duced with labels a, a, using the associated Greek letter for polynomial shares. 

One use of Joint-RVSS is in a distributed coinflip protocol (Fig. 4), whose 
security properties are formalized in Lemma 7. This lemma is useful also for 
other uses of Joint-RVSS, where unlike in the coinflip protocol, the generated 
secret is not explicitly reconstructed. 
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Lemma 7. In secure channels model, the distributed coinflip protocol of Fig. 4 
(1) does not use erasures and (2) simulator SIM simulates it without rewinding. 

Proof: The simulator for the security proof is contained in figure 4. The simula- 
tor knows logg h, thus it need not decide on afs for players Pi it controls until it 
learns Oj for each player Pj that the adversary controls. (Note that the simulator 
can determine the adversary’s value Oj by interpolating faj{i)-) After that, the 
simulator assigns values Qi to the players in such a way that ai = a* . 

□ 

Note: If the simulator is allowed to have one player Pj G Qvd whose internal state 
is inconsistent, then it can decide on the values Ofc in advance for all Pfc yf Pj, 
and only leave Oj undefined until it is able to set Oj = a* — Ofc- This 

observation will be useful for erasure- free protocols. 



Protocol: (on inputs group Gq, generators g,h) 

1. Players generate RVSS-data[a] (i.e. perform Joint-RVSS, Fig. 3) 

2. Each Pi e Qud broadcasts his additive shares ai, di 

3. For Pi e Qud s.t. yf Pai(O), the players reconstruct Pj’s additive 

share ai by broadcasting their shares aij , &ij and verifying them with Pa* 

4. A public random value a is reconstructed as a — ffp, ai 

Simulation: (on SIM’s inputs Gq, g,h and a — log^ h) 

1. SIM performs Joint-RVSS on the part of the honest players 

2. SIM receives random a € hq. For some Pi among the players it controls: 
SIM broadcasts ai = a — '^p. Qyoi\ Cji hi s.t. ai -|- a&i = Uj -|- a&i 
For all other players Pj it controls, SIM broadcasts correct values aj,dj 

3. SIM performs Step 3 on the part of the honest players 

4. Note that the public random value is reconstructed as a 

Fig. 4. Erasure-Free Distributed Coinflip Protocol using Joint-RVSS 



5.3 Simultaneous Zero-Knowledge Proofs of Knowledge 

Our adaptive protocols, following the protocols of Canetti et al. [CGJ+99a], use 
simultaneous zero-knowledge proofs of knowledge to enable robustness efficiently. 
We describe this technique here in full generality. 

Consider any honest- verifier public-coin zero-knowledge proof of knowledge 
system (ZKPK) [BG92]. Say that the prover shows knowledge of witness w 
of a public relation A = {y, x) for some value y. Let (p, q, g) be a discrete- 
log instance and assume that the random coins in the proof system are picked 
in 1q. Assume that the simulator that exhibits the zero-knowledge property 
proceeds by first choosing any value for the random coin and then generating 
the rest of the proof transcript, and that it has zero probability of failure. Three- 
round ZKPKs of this form exist for, in particular, proving knowledge of discrete 
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logarithm, i.e. A = {g^,x} (e.g. Schnorr’s protocol [Sch91]), or knowledge of 
representations, e.g A = {{g, h, g^h^), {x, a;)} (see the work of Brands [Bra99] or 
Camenisch [Cam98] and the references therein). In a simultaneous proof using 
a three-round ZKPK, each player Pi proves knowledge of its witnesses Wi for 
some statement {yi,Wi) in A in parallel, by executing the steps of the prover 
as in the original ZKPK protocol, while for the verifier’s part, they all use a 
single common public coin generated with a distributed coinflip protocol. In our 
protocols, such simultaneous proof is preceded by ^.-generation and the coinflip 
is implemented with the protocol in Fig. 4. This method generalizes to ZKPK 
protocols with any number of rounds: Every time a public coin is needed, it is 
picked via a distributed coinflip. 

The following lemma is purely technical, but it isolates a convenient property 
of the simultaneous proof that allow us to concisely argue the security of the 
protocols that use it as a building block. 

Lemma 8. In the secure channels model, the simultaneous proof protocol has 
the following two properties: (1) It can he simulated without rewinding as long 
as the simulator has a consistent internal state for every player the adversary 
corrupts; (2) There is a simulator that can extract all the witnesses from the 
players controlled by the adversary. 

See Jarecki and Lysyanskaya [JLOO] for the proof. From the lemma above and 
lemma 4 we immediately get: 

Corollary 1. In the erasure- enabled model, if the ZKPK proof used in the above 
simultaneous proof protocol is a committed proof of Fig.l, this protocol can he 
successfully simulated without rewinding even if the simulator does not know any 
witnesses to the statements it reveals for the players it controls. 

Lemma 8 also implies a corollary useful for our erasure- free protocols: 

Corollary 2. In the secure channels erasure-free model, the simultaneous proof 
protocol can be simulated if the simulator does not know the witnesses for a 
constant number of players it controls, as long as these players are not corrupted 
by the adversary. 

5.4 Shared Exponentiation Protocol 

Another useful building block of our threshold cryptosystems is a protocol that 
computes m“ for any input element m G Gq if value a € is secret-shared with 
RVSS-data[a]. This protocol has two variants, an “additive” and “polynomial” 
exponentiation (Figs. 5 and 6), which refers to the two methods of extracting 
value m“ from the sharing RVSS-data[a] of a: Every player Pi broadcasts either 
value for its additive share Oj, or value for its polynomial share a,. 

The additive exponentiation protocol, which generalizes and removes erasure 
from the distributed key generation protocol of [CGJ"*"99a], is a basis of the key 
generation for our threshold Cramer-Shoup cryptosystems, and it is used in our 
threshold Cramer-Shoup decryption in the erasure-free setting. The polynomial 
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exponentiation is used in our concurrent erasure-enabled Cramer-Shoup decryp- 
tion. Since the polynomial exponentiation protocol erases the polynomial shares 
OLi of a at the end, in that model we must always use a one-time randomization of 
the polynomial secret-sharing of a as inputs to this protocol. We omit the proofs 
of the two lemmas below and send the reader to Jarecki and Lysyanskaya [JLOO] 
and Lysyanskaya [LysOO] for them. 



Input: m £ Gq, secret sharing RVSS-data[a], g,h £ Gq 

1. Each Pi broadcasts Ai = m“* 

2. With a simultaneous proof of Sec. 5.3, using ZKPK proof of equality of 
representation, each Pi proves knowledge of (equal) representation of rm 
in bases m, 1 and E'aj(O) in bases g, h. 

If some Pi fails, ai and Ai = m“* are reconstructed publicly using Fai 

3. Everyone computes m“ = IlILi 

Fig. 5. Erasure-Free Additive Exponentiation with RVSS-data[a] 



Lemma 9. In the secure channels erasure-free model, as long as the adversary 
does not corrupt the designated persistently inconsistent player, the additive ex- 
ponentiation protocol can he simulated such that (1) for all honest and consis- 
tent players, the simulator can provide correct messages they send at the time 
of sending and (2) for the honest inconsistent player, the simulator can provide 
messages such that if any t of them are revealed they look correct. 



Input: m £ Gq, secret sharing RVSS-data[a], g,h £ Gq 

1. With a simultaneous proof of Sec. 5.3, using committed ZKPK proof (Fig.l) 
of equality of representation, each Pi proves knowledge of (equal) 
representation of Ai = m“* in bases m, 1 and Fa{i) in bases g, h. 

Note that at the end of the proof, value Ai is published and ai erased. 

2. Value m“ is interpolated in the exponent from Ads that passed the proof 

Fig. 6. Erasure-Enabled Polynomial Exponentiation with RVSS-data[a] 



Lemma 10. In the erasure- enabled model, the polynomial exponentiation pro- 
tocol can he simulated without rewinding. 

6 Concurrent Threshold Cramer-Shoup Cryptosystem 

The Cramer-Shoup Cryptosystem. Recall the Cramer-Shoup [CS98] cryp- 
tosystem. The setting is as follows: a group Gq in which the decisional Diffie- 
Hellman problem is assumed to be hard, and a universal one-way family of 
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hash functions H : {0,1}* ^ Z^* are given [BR97,Sho99a]. The secret key 
consists of five values, a, 6, c, d, e, selected from Z^* uniformly at random. The 
public key consists of two random bases, 51,52 G Gq, such that the discrete 
logarithm that relates them is unknown, and the group elements C = 5“ 52, 
D = 9i92 IT = 5}. To encrypt a message m from a message space M 
(M is assumed to have an efficiently computable and invertible mapping into 
Gq, and so we write m G Gq), Alice chooses r € Z^* uniformly at random, 
computes x = g{, y = g^, w = W^m, a = H{x,y,w), and v = The 

ciphertext is the 4-tuple {x,y,w,v). And now for decryption, we will use the 
Canetti-Goldwasser method [CG99]: Bob selects uniformly at random s G Z^* 
and outputs w / {x*^{v / v'Y), where v' = Recall that, under the as- 

sumption that the decisional Diffie-Hellman problem is hard, the Gramer-Shoup 
cryptosystem, as well as the Ganetti-Goldwasser variant thereof, has been shown 
to be secure against adaptive chosen ciphertext attack which is the strongest no- 
tion of security known for public-key cryptosystems [GS98,Sho99b,GG99]. 

Key Generation. In figure 7, we present the key generation protocol for the 
concurrent Gramer-Shoup cryptosystem. We assume that the group Gq with a 
generator 5 and the universal one-way hash function Ti. have been generated 
already. Indeed we may allow one server to set up these parameters and have 
the others verify that his computation was performed correctly. We also assume 
that h G Gq was generated using correct h-generation protocol. 



Input: Gq, g, h, H 

Goal: Generate the Gramer-Shoup public key (51 , 52, G, D, IT). 

1. Run the joint coinflip protocol and generate random bases 51, 52, h\, h2- 

2. Run Joint-RVSS five times in parallel and obtain RVSS-datat.gj [a, c, e] 
and RVSS-datat,j2 ^2 [b,d\. 

3. Pi performs, in parallel, committed simultaneous proofs of knowledge of 

repr. in bases 51, 52 of values Ci = gY 92* ^ = 9 i* 92* Wi = g\*\ 

and repr. in bases h\ , /i2 of values Ci = , Di ~ h\' , and Wi = 5}* ; 

Pi erases fat, hi, fci, fdi, /e^ and /a,, /g., /a^, /j., fw, 

Pi opens the committed proofs. 

4. Verify (1) validity of other players’ proofs; 

and (2) for all Pfc e Qid, CuCk = = Pcj0)Pa,(0), 

and ITfclTfc = Pe,(0). 

For any player who failed the test, reconstruct all his secrets using backup 
information stored in RVSS-data[a, b, c, d, e]. 

5. Gompute the public key: 

^ ~ Quai Ci, D — Yip. Di and IT = Hp^ q-ud. 

Fig. 7. Erasure-Enabled Key Generation for Gramer-Shoup 



See Lysyanskaya [LysOO] for proofs of security and robustness for this proto- 
col. We note that the simulator for the security proof is easy to construct. The 
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key step here is that we generate two auxiliary bases, hi and ft- 2 , such that if this 
is a simulation, the simulator will get to know log^^ hi and logg^ /i 2 - As a result 
of this and of the committed proof technique, at no step of this protocol will 
the simulator be committed to a particular player’s internal state (see lemma 1 
and lemma 4). The additive share of the public key published at the end is 
non-committing to any current internal state either because it is distributed in- 
dependently from any non-erased information that the adversary will ever have 
a chance to see. 

We also note that if a corrupted player deviates from the protocol but still 
succeeds in carrying out the committed proof so that the honest players accept, 
then, since these proofs are proofs of knowledge of representation, we can exhibit 
an extractor which will compute two different representations of some value in 
two different bases, and will therefore solve the discrete logarithm problem. 

Decryption. In figure 8, we present the decryption protocol for the Cramer- 
Shoup cryptosystem. For full proofs of security and robustness of this protocol, 
see Lysyanskaya [LysOO]. 

Let us only show correctness of the decryption protocol in figure 8: if all the 
players behave as prescribed by the protocol, the output is valid decryption. To 
see this, let us look at the values Oi = mim'i = {vi/ vY' g°' 

= = (vi / vY* g°* Since o(z) is a degree 2t share 

of 0, the interpolation of these shares will yield , as in Canetti and 

Goldwasser [CG99]. 

The decryption protocol is secure because all the information that one sees 
before the committed proofs are opened does not commit the simulator to the 
internal state of any of the players (by lemma 4), and, since the simulator knows 
the values log^ h, log^^ hi and log^^ ft- 2 , the simulator can exhibit the internal 
state of any player at the adversary’s request. The information revealed after the 
committed proof is information-theoretically independent of the internal state of 
a player who published this information, since by the time he publishes it, any 
secrets pertaining to it have been erased; and the whole process is perfect zero- 
knowledge by corollary 1. Therefore, owing to the committed proof technique 
we get a perfect simulation for the adversary’s view. Robustness follows from 
lemma 3. 

Key Refresh. Notice that, using standard techniques [HJJ+97], the above im- 
plementation of the threshold Gramer-Shoup cryptosystem can be made proac- 
tive i.e. secure against mobile attackers who, over time, lose control over some 
of the servers, but attack new ones. 

Taking the Decryption Off-Line. Note that, as in the Ganetti-Goldwasser 
implementation [GG99], we can precompute and store the randomizers. When 
a ciphertext needs to be decrypted, a user can talk to each server individually 
and have each server, using committed proofs, prove to the user that its share 
of the decryption is valid. By lemma 2, these committed proofs can be executed 
concurrently. Such a method can tolerate up to n/3 corruptions. 
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Input: Values obtained from the key generation protocol. 

Goal: Decrypt ciphertext (x, y, w, v). 

Notation: In this protocol, indexed Latin letters (e.g. Oi) denote polynomial 
shares of the corresponding values. (Unlike the rest of this extended abstract 
where they denote additive shares.) 

1. Run Joint-RVSS five times and obtain RVSS-datat,g,h[s, r, p] and 

RVSS-data 2 t,a,h [o, z,u]. 

2. Pi computes the following values: 

(a) k = = vig''\ where Vi = 

(b) k = 

(c) k = = {l^yih^i. 

(d) mi = {li/vrg^* = {vi/vY^g^^^^g^K 

(e) mi = x^^g-^^^^g°^g-^K 

3. Prove in committed simultaneous form: 

(a) Eq. of repr. of U, Fa{i), Fb{i), Fc(i), Fd{i), Fr(i) in bases 
{x, x‘^, y, y'^, g, 1, 1, 1, 1, 1), (gi, 1, 1, 1, 1, hi, 1, 1, 1, 1), 
(1, 1, < 72 , 1, 1, 1, 1, h2, 1, 1), (1, 51 , 1, 1, 1, 1, hi, 1, 1, 1), 
(1, 1, 1, 92 , 1, 1, 1, 1, h 2 , 1), (1, 1, 1, 1, g, 1, 1, 1, 1, h), corre- 
spondingly. 

(b) Eq. of repr. of li, Fr{i), Fp{i) in bases {g, 1, h, 1), {g, h, 1, 1), 
(1, 1, 9, h). 

(c) Eq. of repr. of li , Fs{i), Fu{i) in bases {li, h, 1, 1), {g, 1, h, 1), 
(1, 9, 1, h). 

(d) Eq. of repr. of mi,Fs{i), F^i) in bases {{k/v), g, 1, 1), {g, 1, h, 1), 
(1, 9, 1, h). 

(e) Eq. of repr. of mi, Fe{i), ^ , Fo{i), F^i) in bases 

{x, 9~^, 9, 1, 1, 1, 1), (fli, 1, 1, 1, hi, 1, 1, 1), (1, g, 1, 1, 1, h, 1, 1), 

(1, 1, g, 1, 1, 1, h, 1), (1, 1, 1, g, 1, 1, 1, h). 

4. Erase the one-time secrets generated in step 1. 

5. Open the committed proofs and reveal U, li, li , mi, and m^. 

6. Verify the committed proofs of other players. 

7. Set a players output share Oi = mimi- Determine the output O by La- 
grange interpolation in the exponent; the resulting decryption is w/O. 

Fig. 8. Erasure-enabled decryption for Cramer-Shoup 



7 Erasure-Free Threshold Cramer-Shoup Cryptosystem 

We exemplify our erasure-free threshold cryptography techniques with a thresh- 
old protocol for the Cramer-Shoup cryptosystem (Fig. 10). We assume that the 
key generation was done similarly to Sec. 6, except that all sharings are of the 
type RVSS-datai_g_;j[a, b, c, d, e]. Since this protocol essentially exponentiates ele- 
ments v~^ , x,y to values that are held with additive sharing, the security of this 
protocol can be shown in an argument similar to Lemma 9. For full analysis, as 
well as the key generation protocol, see Jarecki and Lysyanskaya [JLOO]. 

This protocol uses an “additive multiplication” sub-protocol MULT (Fig. 9), 
which creates ADD-data[c], an additive sharing with polynomial backups of value 
c = ab mod q from sharings RVSS-data[a] and RVSS-data[b]. Note that if aYs 
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and /3i’s are shares of f-degree polynomials fa, fb s.t. /a(0) = a, /h(0) = b then 
c = where Vi = XiUiPi mod q for some interpolation coefficients Xi (as- 

suming, for simplicity, that n = 2t -|- 1). Therefore, the players already hold ad- 
ditive shares Vi of c, but they are not independently distributed. Protocol MULT 
essentially re-randomizes this additive sharing, as the “2sum-to-2sum” protocol 
of [FMY99a-b] (except that here all players participate). In the future use of the 
newly created additive shares c, of c, the polynomial sharings RVSS-data[a,b] 
can serve as backups: If any player Pj misuses or withholds its Cj in the future, 
these shares are used to reconstruct Vj = Xjajbj, and the values cfs of all other 
players are adjusted so that '^i^j Ci = c. 



Input: Sharings RVSS-data[a], RVSS-data[b], values p, q, g, h 
Goal: Additive sharing ADD-data[c] of c = a& = SILi XiOifii mod q 

1. Each player Pi computes its additive share Vi = Xiaifii of c, picks Vi £ Zq, 

broadcasts value E„^(0) = and proves that Vi in Vi is the product 

of Oi and Xifdi committed to in Fa{i) and (Fbii))^* ■ This is done using a 
simultaneous proof of Sec. (5.3) with a 3-move public-coin zero-knowledge 
proof of [CD98]. 

2. Players perform the “2sum-to-2sum” protocol of [FMY99a-b] for additive 
re-sharing of shares ui, ..,Wti. At the end each Pi computes its new additive 
share d,Ci of c, and there are public verification values Eci(O) = g‘^*h‘^*. 

Fig. 9. Multiplication MULT : (RVSS-data[a], RVSS-data[6]) ^ 

ADD-data[a6] 



Input: Ciphertext x, y, w, a, v, public key gi,g 2 , C, D, W, values p, q, g, h 

Sharings RVSS-data[a,b,c,d,e,s] (i.e. RVSS-data[a],RVSS-data[b],etc.) 

Goal: Decrypt cleartext m = modp 

1. Each player locally obtains its part of RVSS-data[a-|-C(j] and RVSS-data[6+ 
da] from RVSS-data[a,b,c,d] and cr. 

2. Let r = s{a -|- ca) and 2 ; = s{b + da). Players perform two parallel MULT 
instances to get ADD-data[r] and ADD-data[z] from RVSS-data[s,a-|-C(j,&-|- 
da] 

3. Each Pi broadcasts rm = and proves, using simultane- 

ous proof of Sec. (5.3) with a 3- move public-coin zero-knowledge proof of 
equality of representation of mijw, Fs^(O), (0)/Fe^(0), and F^^(O) in 

appropriate bases made of elements 1, g, h, v~^, x, y in Gq. 

4. If any player fails, their secret inputs are reconstructed. 

Fig. 10. Adaptive Erasure-Free Cramer-Shoup Protocol 
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Abstract. The main difference between confirmer signatures and ordi- 
nary digital signatures is that a confirmer signature can be verified only 
with the assistance of a semitrusted third party, the confirmer. Addi- 
tionally, the confirmer can selectively convert single confirmer signatures 
into ordinary signatures. 

This paper points out that previous models for confirmer signature 
schemes are too restricted to address the case where several signers 
share the same confirmer. More seriously, we show that various pro- 
posed schemes (some of which are provably secure in these restricted 
models) are vulnerable to an adaptive signature-transformation attack. 
We define a new stronger model that covers this kind of attack and pro- 
vide a generic solution based on any secure ordinary signature scheme 
and public key encryption scheme. We also exhibit a concrete instance 
thereof. 



1 Introduction 

To limit the information dispersed by digital signatures, Chaum and van Antwer- 
pen introduced the concept of undeniable signatures [10]. Undeniable signatures 
can only be verified with the help of the original signer. Of course, the signer 
should be able to deny invalid signatures but must not be able to deny valid 
signatures. Thereby the signer is able to control who gets to know the validity 
of a signature. To overcome this concept’s shortcoming that signers might be 
unavailable or unwilling to cooperate and hence signatures would no longer be 
verifiable, Chaum suggested the notion of confirmer signatures [9]. Here, the 
ability to verify/deny signatures is transferred to a semitrusted third party, the 
confirmer. The confirmer is also given the power to convert a confirmer signa- 
ture into an ordinary (i.e., publicly verifiable) signature. Of course, the confirmer 
should not be involved in the signing process. It is understood that the confirmer 
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follows some policy for deciding to whom he confirms signatures or which signa- 
tures he can convert and under which circumstances (e.g., such a policy could 
be included in the signed message). For instance, a policy could state that con- 
firmation is only allowed during a certain time period, only to a certain group 
of people, or simply that the confirmer must log all requests. 

Chaum also presented a concrete scheme but neither a formal model nor 
a proof of security [9]. Later, Okamoto presented a formal model and proved 
that confirmer signature schemes are equivalent to public-key encryption [23]. 
Okamoto further presented a practical solution. However, Okamoto’s model ex- 
plicitly enables not only the confirmer but also the signer to assist in verification 
of a confirmer signature. A drawback of this approach is that a coercer could 
force the signer to cooperate in confirming or denying a signature. Although a 
signer is in principle always able to prove that a confirmer signature he generated 
is valid (e.g., by proving knowledge of all inputs to the signing algorithm), the 
signer can always claim that he did not generate an alleged confirmer signature 
and thus is unable to prove anything, if confirmer signatures are “invisible”, i.e., 
if it is undecidable for everybody apart from the confirmer whether a confirmer 
signature is valid or not. This coercer problem is (partially) overcome in the 
model of Michels and Stadler [21], which does not explicitly enable the signer 
to deny invalid signatures. They also showed that Okamoto’s practical scheme 
is insecure because the confirmer can fake signatures. Moreover, they proposed 
new schemes and proved them secure in their model. Finally, all realizations 
proposed so far [9,11,21,22,23] incorporate the feature that the confirmer could 
convert confirmer signatures into ordinary but proprietary signatures (i.e., not 
standard signatures such as RSA PKCS#1 or DSS). However, this convertibility 
is not included in any of their models and it is hence uncertain whether the 
schemes remain secure if this feature is activated. 

The contribution of this paper is to point out that various proposed confirmer 
schemes are insecure when many signers share the same confirmer. The latter 
seems to be natural in an e-commerce environment where playing the role of 
a confirmer is offered as a trusted third party service and signers decide on a 
per-signature basis which confirmer to use (possibly considering requirements 
from the signature receiver). More precisely, these schemes are vulnerable to 
an adaptive signature-transformation attack, where the attacker transforms a 
confirmer signature with respect to given signing keys into a confirmer signature 
with respect to other signing keys such that the resulting confirmer signature is 
valid only if the original signature is valid. With this new signature the attacker 
can enter the confirmation protocol thus circumvent the policy of the original 
signature. For instance, such attacks are possible against the schemes in [21] 
that were proved secure with respect to the model given there and applies also to 
some of the schemes presented in [9,23]. We argue that the formal models [21,23] 
proposed so far are too restrictive, e.g., as this kind of attack is not incorporated. 

This paper exhibits a new model that fully incorporates adaptive adversaries. 
The model also explicitly includes the convertibility of confirmer signatures into 
ordinary signature schemes and excludes the signer’s ability to deny invalid sig- 
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natures. We present a generic solution based on any signature scheme that is 
secure against an adaptive chosen-message attack and on any encryption scheme 
that is secure against an adaptive chosen-ciphertext attack and prove its security 
in our model. This solution enjoys perfect convertibility, i.e., converted signatures 
are signatures with respect to the signature scheme we use as a building block. 
This property is unmet by all previously proposed schemes. We also provide 
a concrete instance based on any deterministic RSA signature scheme and the 
Cramer-Shoup encryption scheme. An adaption to other signature schemes such 
as DSS is easily possible using techniques from [1]. Moreover, we outline how 
the scheme of Michels and Stadler can be adapted to be secure in our model and 
how scenarios such as fair contract signing and verifiable signature sharing can 
be addressed. 

2 Confirmer Signature Model 

This section provides a formal definition of confirmer signatures. After having 
defined our model, we discuss the differences to previously suggested models in 
detail and point out why various previously proposed schemes fail in our model. 



2.1 Formal Model 

Definition 1. The players in a confirmer signature scheme are signers S, con- 
firmers , and verifiers . A confirmer signature scheme consists of the follow- 
ing procedures: 

Key generation: Let CKGSfil^) ^ { s s) and CKGCfil^) ^ ( c c) be two 
probabilistic algorithms. The parameter is a security parameter, ( s s) is a 
secret/public key pair for the signer, and { c c) is a secret/public key pair 
for the confirmer. 

Signing: A probabilistic signature generation algorithm GSig{ s S c) ^ c 
for signing a message G {0 1}*. 

Confirmation and disavowal: A signature verification protocol (GVerG GVerV) be- 
tween a confirmer and a verifier. The private input of the confirmer is c and 
their common input consists of , a, s, and c- The output of the verifier 
is either 1 (true) and 0 (false). 

Selective convertibility: An algorithm GGonv{ as C c) ^ that allows a 
confirmer to turn a confirmer signature a into an ordinary signature. If the 
conversion fails, the algorithm’s output is T. 

Signature verification (ordinary): An algorithm GOVer{ s) {0 1} that al- 
lows everybody to verify signatures and takes as input a message , a signature 
, and the public key s of the signer. 

Before formally stating the security requirements, we try to describe the intuition 
behind them. Gorrectness and validity of confirmation/disavowal, and correct- 
ness of conversion are obvious. Security for the signer guarantees that confirmer 
signatures as well as converted signatures are unforgeable under an adaptive 
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chosen-message attack (cf. [20]). Security for the confirmer /invisibility of sig- 
natures guarantees that the scheme is secure for the confirmer against adaptive 
chosen-confirmer-signature attacks (this is similar to security against chosen- 
ciphertext attacks for encryption schemes, in fact, CSig can he regarded as an 
encryption scheme for a single hits). This requirement also assures that no one 
apart from the confirmer can distinguish between valid and invalid confirmer 
signatures. This ensures for instance that the signer is not coercible. Finally, 
non-transferability says that one cannot get more information out of the confir- 
mation/disavowal protocol than whether a signature is valid or not. 

By { (u)} we denote the set of all possible output values of a probabilistic 
algorithm when input u. 

Correctness of confirmation/disavowal: If the confirmer and the verifier are honest, 
then for all , all { s s) & {CKGS{/)}, all { c c) & {CKGC{l/}, all 
€ {0 1}*, and all ct G {0 1}*, 



GVerVcverci s c) 



1 ifae{GSig{ s s c)} 
0 otherwise . 



Validity of confirmation/disavowal: For all GVerG* , all sufficiently large , all 
( s s) e {GKGS{/)}, all { c c) & {GKGG{l/}, all G {0 1}*, all 
(T G {0 1}*, and for every polynomial p{-) we require that 

Proh[GVerVcverC*{ cr s c) = 0] l/p( ) 

ifae{GSig{ s S c)} and 

Prob[GVerVcverc/ cr s c) = 1] l/p( ) 

otherwise. The probability is taken over the coin tosses of GVerV and GVerG* . 
Correctness of conversion: for all , all { s s) & {GKGS{/)}, all { c c) & 
{ C'iCG'C(l^)}, all G {0 1}*, and for all a G {GSig{ s S c)}> H holds 
that GOVer{ GGonv{ a s c c) s) = 1- 
Security for the signer: Gonsider the following game against an adversary . First 
the key generators for the signer and the confirmer are run on input / . Then 
is given as input the public key of the signer and the confirmer, s and c, 
and the secret key c of the confirmer. is further allowed oracle access to the 
signer (i.e., it may ask confirmer signatures of polynomially many messages 
{ i}). Finally, halts and outputs a pair of strings ( u) where / i for 

all . Then, for all such and all sufficiently large we require that ’s output 
satisfies GOVer{ u s) = 1 with negligible probability only. The probability 
is taken over the coin tosses of the signer, , and the key generators. (Note 
that the adversary can convert confirmer signatures itself as it is given c-) 
Security for the confirmer / Invisibility of Signatures: Gonsider the following game 
against an adversary . First the key generators for the signer and the con- 
firmer are run on input / . The adversary is given the public keys of the signer 
and the confirmer, in addition to the secret key of the signer. Then the ad- 
versary can make arbitrary oracle queries to the confirmer via GVerG and 
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CConv. For doing this, the adversary is allowed at anytime (and repeatedly) 
to ereate additional signature-key pairs { $' S') ('not necessarily by running 

the key generator) and to interact with the confirmer with respect to these 
keys. Then, the adversary has to present two messages \ 2 G {0 1}*. 

After that we flip a fair coin. If the result is heads, the adversary is given 
a = CSigly \ s S c), if H is tails, the adversary is given a string a = 
GSig{ 2 s S c)- Now the adversary is again allowed to query the signer 
and the confirmer except that a is not allowed in any of these queries. Finally, 
the adversary must output 0 or 1. We require that for all such adversaries, 
all polynomials p{-), and all sufficiently large , the probability that the ad- 
versary’s output equals our coin flip is smaller than 1/2 + \/p{ ), where the 
probability is taken over the coin tosses of the signer, the confirmer, and the 
key generators. 

Non-transferability of verification/disavowal: Consider the following two games in- 
volving the adversary, a signer, a confirmer, and a simulator: 

Game 1. The adversary is given the public keys s o.'nd c of the signer and 
the confirmer. Then it can make arbitrary oracle queries to both of them 
via CSig, CVerC, and CConv. (Again the adversary is allowed at any time 
to create its own key pairs ( s’ S') and run, e.g., CSig with these keys, 
and then interact with the confirmer with respect to these keys as well.) 
Then the adversary must present two strings, and a for which it wishes 
to carry out the protocol {CVerC CVerV ) with the confirmer. Next the 
confirmer and the adversary carry out this protocol with common input 
( O' S c)- The confirmer’s secret input will be c- Iti parallel, the 
adversary is allowed to make arbitrary queries to the signer and confirmer. 
Eventually, the adversary stops producing an output. 

Game 2. This game is the same as Game 1 with the difference that when it 
comes to the interaction with the confirmer on and a the simulator is 
plugged in the place of the confirmer. However, in all other interactions 
with the adversary the real confirmer or the real signer speak with the ad- 
versary. The simulator is not given the secret key of the confirmer, but it is 
allowed a single call to an oracle that tells it whether the strings and a 
produced by the adversary are a valid confirmer signature w.r.t. s and c- 

Now we require that for every adversary there exists a simulator such that 
for all sufficiently large , all { s s) G {CKGS{1^)}, and all ( c c) G 
{CKGC{1^)}, the outputs of the adversary when playing Game 1 and Game 2 
are indistinguishable. In other words, there must exist a simulator such that 
the adversary cannot distinguish whether he is playing Game 1 or 2. 

We call a confirmer signature scheme perfect convertible with respect to some 
(ordinary) signature scheme if converted confirmer signatures are valid signatures 
with respect to this signature scheme. 

Throughout the paper we assume that the policy stating the circumstances 
under which the confirmer is allowed to confirm/disavow a confirmer signature is 
part of the actual message and that he refuses cooperation whenever the policy 
requires so. This is sufficient to ensure that verifiers cannot circumvent a policy. 
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Schemes according to our definition are separable, i.e., all parties can run 
their key generation algorithms independent of each other (cf . [6] ) . This enables 
signers to choose a confirmer on a per signature basis at signing time. 

Remark 1. One could easily add a protocol between a confirmer signature re- 
cipient and the signer in which the signer proves to the recipient that a con- 
firmer signature just generated is valid. The only modification to our model 
would be that one would have to add a security requirement for this proto- 
col that is similar to the one of non-transferability of verification/disavowal for 
{CVerC CVerV). Furthermore, the adversary has to be allowed to use this new 
protocol in the games defined in security for the signer and non-transferability 
of verification/ disavowal. 

2.2 Comparison with Previous Formal Models 

Let us point out the differences between our model and the previous formal 
models [21,23]. 

As mentioned in the introduction, Okamoto’s model enables the signer to 
confirm and deny signatures, which makes the signer vulnerable to a coercer 
that forces him to confirm or deny a signature. The model does not include 
selective conversion. Moreover, his model defines a weaker notion of security of 
the confirmer: the adversary knowing the signer’s secret key wins the game only 
if he is able to behave like the confirmer, i.e., to confirm and disavowal signatures, 
but does not win the game if he can distinguish between two confirmer signatures 
(or between a valid and an invalid confirmer signature). The crucial difference, 
however, lies in the definition of invisibility and untransferability, where the 
adversary has access only to the confirmation and disavowal protocol run with 
the true signer, but not with the confirmer. Thus it does not cover adaptive 
attacks against the confirmer. For instance, the signature transformation attack 
mentioned below is not captured by this model. In fact, one can construct a 
scheme that is secure in Okamoto’s model but is vulnerable to this signature 
transformation attack. Such a scheme is obtained from one of the schemes in [21] 
by having the signer choose an encryption public key and then appending to the 
signature an encryption of all random choices made by the signer in the signing 
protocol under this public key (this encryption also must be signed together 
with the message). This will allow the signer to confirm/ disavow signatures as 
required in Okamoto’s model. 

The model by Michels and Stadler does not explicitly enable the signer to 
confirm and deny signatures, but it does not exclude it either. In particular, the 
security for the confirmer (where the adversary gets the signer’s secret key) as 
well as the selective conversion are not included. Their definition of invisibility 
allows the adversary only to query the confirmer with respect to a certain signer 
and is not given the signer’s secret key, i.e., they allow only a very restricted 
kind of adaptive attack. This model is realistic only if there is a single signer 
that is furthermore assumed to be honest. However, if several signer are allowed 
and they are not all assumed to be honest, then their schemes are vulnerable to 
the signature transformation attack as described in the next paragraph. 
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2.3 Adaptive Signature- Transformation Attacks 

This paragraph points out that the previously suggested schemes [9,21,23] are 
vulnerable to an adaptive attack and are indeed insecure in our model. Before 
describing this attack, we note that the scheme proposed in [22] is not secure 
in our model because is has the property that given a signature and two dif- 
ferent messages it’s publically verifiable w.r.t. which message the signature is 
potentially valid. Due to this property the invisibility requirement in our model 
cannot be satisfied. Furthermore, the scheme presented in [11] is insecure in all 
models, i.e., even against non-adaptive attackers (see Appendix A). 

We first show that the proof-based scheme by Michels and Stabler [21, Sec- 
tion 5.2], which was proved secure in their model, is vulnerable to a so-called 
adaptive signature-transformation attack that exploits the malleability of the 
used building block. The practical scheme by Okamoto [23], with or without 
the heuristic fix of another vulnerability suggested in [21], as well as Chaum’s 
scheme [9] are vulnerable to a similar attack. We omit the details regarding those 
schemes here. 

Let us first recall the scheme by Michels and Stadler. It uses as building 
blocks so-called proof-based signature schemes (an example is Schnorr’s signature 
scheme [26] ) and confirmer commitments. For simplicity, let us use the confirmer 
commitment provided in [21, Section 4.2] and the Schnorr signature scheme [26] 
in the following. With these choices the public key of the signer is a group 
= ( ), a prime = | |, and G . The signer’s secret key is = logg . The 
confirmer’s public key is = {h), a prime p = \ |, and G . The confirmer’s 

secret key is u = log^ . Furthermore, a suitable hash function Ti. is publicly 
known. The signer can issue a confirmer signature on as follows. 

1. 1 G Zg, 2 G Zp, t:= "F := ( 1 2 ) := ( 

2. := 7f( ), and := 1 — mod . 

The confirmer signature is (t ( 1 2 ) )• The confirmer can tell whether a given 
confirmer signature (t ( 1 2 ) ) is valid by checking if 2 / 1 ^” = and 

n(d) s ^ hold. We refer to [21] for the confirmation/disavowal protocol. 

Now we are ready to describe the signature transformation attack. We are 
given an alleged confirmer signature (t ( 1 2 ) ) on w.r.t. a signer’s public 

key ( ). Furthermore, assume that the confirmer is not allowed to tell 

us whether this particular signature is a valid. The following attack will allow 
us to transform the signature into another signature that is independent from 
(f ( 1 2 ) )• To do so, we choose our own signing public and secret keys = (') 

with I I = ~ Then we choose a random message ~ and 

1. F G Zg, '2 G Zp, i := '"'F ':= ('1 ' 2 ) := ( 1 

2. ' := H{ ), and ~ := '1 — " mod ~ 

and get the new confirmer signature (t ( 1 2 ) ')• This confirmer signature is 

valid if and only if the original confirmer signature (t ( 1 2 ) ) is valid. Fur- 

thermore, if the original confirmer signature is valid, then the new confirmer 
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signature is indistinguishable from a confirmer signature made using the real 
signing algorithm with our public key. Hence we can simply feed the signature 
(i ( 1 2 ) ~) to the confirmer and he will tell in fact whether (t ( 1 2 ) ) is 

valid. This attack breaks the invisibility property, and it is possible because 
the confirmer commitment is malleable. Note that the definition of security for 
confirmer commitments in [21] does not consider adaptive adversaries. 

A variant of this attack works even if the used confirmer commitment is 
non-malleable: After the attacker has obtained the confirmer signature (t ) 
on w.r.t. a signer’s public key ( ), he computes a new public key 

( ~ ~) by picking ~i ~ G and computing ~ := and ~ := ~®. Now 

(t (~i — 7i( )~ mod )) will be a valid confirmer signature on w.r.t. the 
signer’s public key ( ~ ~) if and only if {t ) is a valid w.r.t. ( ). In 

a similar way as above this attack breaks the invisibility property. The second 
scheme proposed in [21] is also vulnerable to this attack. However, this kind of 
attack can be easily countermeasured by adding the signer’s public key to the 
input of the confirmer commitment. 



3 A Generic Realization of Confirmer Signature Schemes 

This section presents a generic confirmer signature scheme, proves its security, 
and discusses its implications. As we will see in the next section, this generic 
scheme has concrete instances that are quite efficient. 

Let SIG = {SKG Sig Ver) denote a signature scheme, where SKG is the 
key-generation algorithm (which on input 1^ outputs a key pair ( )), Sig is 

the signing algorithm (which on input of a secret key , the corresponding public 
key , and a message G {0 1}* outputs a signature on ), and Ver is the 
verification algorithm (which on input of a message , an alleged signature , 
and public key outputs 1 if and only if is a signature on with respect to ) . 
Moreover, let ENG = {EKG Enc Dec) denote a public key encryption scheme. 
On input of a security parameter, EKG outputs a key pair ( ' '). On input 

of a public key ' and a message ', Enc outputs a ciphertext . On input of 
the ciphertext of the message ', the secret key ', and the public key ', Dec 
outputs ' if is valid and T otherwise. 

Given a suitable signature scheme SIG = {SKG Sig Ver) and a suitable 
encryption scheme ENG = {EKG Enc Dec), a confirmer signature scheme can 
be constructed as follows. We will later see what suitable means. 

1. The respective key generators are chosen as GKGS{1^) = SKG{1^) and 

GKGgIi^^) = AAG(l^). 

2. The signer signs a message G {0 1}* by computing := Sig{ s S ) 
and := Enc{ c )• The confirmer signature on is given by . 

3. The confirmation and disavowal protocol {GVerG GVerV) between the con- 
firmer and a verifier is done as follows: Given an alleged confirmer signature 

and a message , the confirmer decrypts to get " := Dec{ c c)- If 
Ver{ " s) = 1, then the confirmer tells the verifier that the confirmer 
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signature is valid and shows this by proving in concurrent zero-knowledge 
that he knows values and such that “ is the secret key corresponding to 
C AND = Dec{ c) and Ver{ s) = 1-” Otherwise, the confirmer 

tells the verifier that the confirmer signature is invalid and proves in concur- 
rent zero-knowledge that he knows values and such that “ is the secret 
key corresponding to c and (( = Dec{ c) and Ver( s) = 0) 

OR decryption fails).” 

4. The selective conversion algorithm CConv{ see) outputs 
Dec{ c e), provided Ver{ Dec{ c e) s) = 1? and _L otherwise. 

5. The public verification algorithm for converted signatures is defined as 
COVer{ s) = Ver{ $)■ 

Theorem 1. If SIG is existentially unforgeahle under an adaptive chosen- 
message attack and ENC is secure against adaptive chosen- ciphertext attacks, 
then the above construction constitutes a secure confirmer signature scheme with 
perfect conversion. 

Proof: [Sketch] The properties correctness of confirmation/disavowal, validity 
of confirmation/disavowal, and correctness of conversion are obviously satisfied. 
Let us consider the remaining properties. 

Security for the signer: We show that if there is an adversary that can forge a 
confirmer signature, then could be used to forge signatures of the signature 
scheme SIG in an adaptive chosen-message attack: The messages i that are 
queried by are simply forwarded to the signing oracle of the underlying 
signature scheme SIG and then the result is encrypted using ENG. If is 
able to produce a valid confirmer signature to any message that is not in the 
set of queried messages, we can convert this confirmer signature into a valid 
ordinary signature by the conversion algorithm. If is able to compute a valid 
signature to any message that is not in the set of messages previously queried, 
we are already done. Both cases contradict the security of SIG. 

Security for the confirmer/invisibility of signatures: We show that if there exists an 
adversary that can violate this property, then the encryption scheme ENG 
is not secure against adaptive chosen-ciphertext attacks: When getting ’s 
request for confirmation/disavowal of a message and an alleged confirmer 
signature , we forward to the decryption oracle of the underlying encryption 
scheme and obtain . If is an (ordinary) signature of , then we tell that 
the confirmer signature is valid and carry out the proof that this is indeed the 
case. Of course, we cannot carry out the real protocol, but as it is required 
to be concurrent zero-knowledge, there exists a simulator for it which we can 
use. The case where is not a valid signature is similar. If requests the 
conversion of and , we forward to the decryption oracle, get , and then 
we output if is a valid ordinary signature on , or T otherwise. 

When it comes to the point where presents the “test messages” i and 
2 , we produce signatures of them, i.e., i and 2 , and present these as “test 
messages” to the game in the underlying encryption scheme. Then we forward 
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the encryption we get as challenges from the underlying game to as a 
challenge. The following queries of are handled as before. When eventually 
halts and outputs 0 or 1, we forward this output as an answer in the game 
against the underlying encryption scheme. This concludes the reduction. 
Non-transferability of verification/disavowal: This property follows in a straightfor- 
ward manner from the concurrent zero-knowledge property of the proofs in 
the confirmation/disavowal protocol. 

□ 

Corollary 1. I. If trapdoor one-way permutations exist then there exists a se- 
cure confirmer signature scheme. II. A secure confirmer signature scheme exists 
if and only if a public key encryption scheme secure against adaptive chosen- 
ciphertext attacks exists (cf. [23, Theorem 3[). 

Proof: Part I. The existence of trapdoor one-way permutations implies a secure 
signature scheme and an encryption scheme secure against adaptive chosen- 
ciphertext attacks [3,16,20,25]. Due to Theorem 1, this is sufficient for a secure 
confirmer signature scheme. Part II. On the one hand, an encryption scheme for 
encrypting a single bit follows from a secure confirmer signature scheme (cf. [23]). 
Let the public key of the encryption scheme be the public key of the confirmer. 
To encrypt, one chooses a signer’s key pair and then a 0 is encrypted by issuing a 
valid confirmer signature on a randomly chosen message and a 1 is encrypted by 
issuing a simulated (invalid) confirmer signature on a randomly chosen message. 
On the other hand, if a secure public key encryption scheme exists then there 
exist one-way functions and hence a signature scheme secure against adaptive 
chosen-message attacks [20,25]. Due to Theorem 1, this is sufficient for a secure 
confirmer signature scheme. □ 

Remark 2. The generic confirmer signature scheme exhibited in this section pro- 
vides perfect convertibility with respect to the signature scheme SIG. 



Remark 3. The described generic confirmer signature scheme has some similar- 
ities to the generic scheme due to Okamoto[23]. However, as Okamoto’s model 
requires the signer to have the ability to deny invalid confirmer signature scheme 
this scheme cannot satisfy the invisibility property as stated above. Whereas 
Okamoto’s generic scheme is a theoretical construction requiring general zero- 
knowledge proofs for confirmation and disavowal, our scheme has concrete in- 
stances with quite efficient protocols for confirmation and disavowal. 



4 An Instance Providing Perfect Conversion of Signatures 

This section provides an instance based on an arbitrary deterministic RSA sig- 
nature scheme [24] and the Cramer-Shoup encryption scheme [13]. Instances for 
other signature schemes such as DSS or Schnorr can be realized similarly using 
the signature reduction techniques from [1]. 
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4.1 Notation 

We use notation from [6,7] for the various proofs of knowledge of discrete log- 
arithms and proofs of the validity of statements about discrete logarithms. For 
instance, 

PK{{ 7 ) : = A ' = -^‘h? A {u< < u)} 

denotes a “zero-knowledge Proof of Knowledge of integers , , and 7 such that 

= °‘h^ and ~ = ~°‘hA holds, where v u,” where h ~ and h are 

elements of some groups = ( ) = (h) and = (~) = (h). The convention is 
that Greek letters denote the knowledge proved, whereas all other parameters 
are known to the verifier. The scheme presented in this section uses proofs of 
knowledge of double discrete logarithms and of roots of discrete logarithms [7,27] 
and proofs that a discrete logarithm lies in an interval [5,12], e.g., {u < logg < 
v) . These protocols are 3-move zero-knowledge proofs of knowledge with binary 
challenges. 

An important variant of such protocols are concurrent zero-knowledge proofs 
(of knowledge). They are characterized by remaining zero-knowledge even if 
several instances of the same protocol are run arbitrarily interleaved [14,15,17]. 
Damgard [15] shows that 3-move proofs (this includes all protocols considered 
in this paper) can easily be made concurrent zero-knowledge in many practical 
scenarios. We denote the resulting protocols by, e.g., CZK-PK{ : = “} 

4.2 Description of the Scheme 

We review both schemes we use as building block briefly and then describe the 
resulting confirmer signature scheme. 

Let ( ) be an RS A public key of a signer and Pads (•): {0 1}* ^ {1 } 

be some padding function. To sign a message G {0 1}*, the signer computes 
:= Padsi )^^® mod . To verify a signature on , one checks whether 
^ = Pads{ ) (mod ). If the padding function is assumed to be a truly random 
function, the system is secure against adaptively chosen-message attacks under 
the RSA assumption [4]. 

The Cramer-Shoup encryption scheme works over some group of (large) 
prime order of which two generators hi and ft -2 are known. The secret key 
consists of five elements 1 5 Gfl Zg and the public key (1 2 3 ) is com- 

puted as 1 := hf^h2^, 2 := h^^h^^, and 3 := Encryption of a message 
G is done by choosing a random Zg and computing i := h\, 2 := ^ 2 > 

3 := 3 , and 4 '■= i Decryption of a tuple ( 1 2 3 4 ) G ^ is 

done by computing u\=H{ \ 2 3 ) and checking whether x^+xiu _ 

If this condition does not hold, the decryption algorithm outputs T. Otherwise, 
it computes ' := 3 / 1 ’^ and outputs '. Provided the decision Diffie-Hellman 
assumption holds in and the hash function H used is chosen collision resistant, 
the system is secure against adaptive chosen-ciphertext attacks [13]. 

We are now ready to present the different procedures of the confirmer signa- 
ture scheme. 
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Key Generation: CKGS: The signer chooses an RSA public key ( ). Further- 

more, the signer also publishes a group = ( i) = ( 2) of order . CKGC: 
The confirmer chooses sufficiently large primes and p = 2 -|- 1 and two ele- 
ments hi and ft-2 from Z* such that (■^) = (^) = 1 and log^^ ft-2 is unknown. 

Furthermore, the confirmer publishes a group = {hi) of order p. This group 
is required for the proofs in the confirmation/disavowal protocol. A collision 
resistant hash function H is fixed. 

Signing: We assume p/ 2 . (The case p /2 can be handled by splitting the 
signature into two or more parts before encryption. We refer to the forthcom- 
ing full version of the paper for details.) To sign a message G {0 1 }*, the 
signer computes ' := Pads{ mod , sets := ' if = 1 and := p— " 
otherwise (hence = 1 ). The signer encrypts by choosing a random 

Sfl Zq and computing i := h{, 2 ■= h^, 3 '■= 3 , and 4 '■= / 

The confirmer signature on is cr :=( 1 2 3 4)- 

Confirmation and disavowal: The verifier chooses h2 Gr and hs Gr . Upon 
receipt of a request G {0 1 }* ( ) G {0 1 }* x Z„ cr = ( 1 2 3 4) G 

and (ft-2 hs) G x from a verifier the confirmer first decrypts (1234) 
and gets a value " if decryption does not fail. If 0 ' he sets := 

and := p — " otherwise. If 0 and ® = Pads{ ) (mod ) holds, 

the confirmer tells the verifier that the confirmer signature a is valid and 
otherwise that it is not valid. 

If a is valid (confirmation): The confirmer computes commitments 1 := 
f 2^ and 2 := h(hlfi with vi Gr Zn and V2 Gr Zp and sends 1 and 
2 to the verifier. Then, confirmer and verifier carry out the following pro- 
tocol: 

GZK~PK{{ ^ § p I e) : 

1 = h/h^ A 2 = h/h^^ A 3 = hi A 
hf = fh’f) A 4= 7 ( ^ 

(( 2 = hlh’'fi A 1= A (1 < < - 1 )) V 

( 2 = (l/^i)’’^2" A 1 = f 2"" A (1 < d < - 1 ))) A 

_ Q 1^6 A Pads(m) _ a®-! 

1 — I2A I ~ I i 

With this protocol the confirmer convinces the verifier that decryption was 
successful and that either the decrypted value or p minus the decrypted 
value are a valid RSA signature with respect to , , , and Pads- We 

refer the reader to the full paper for the protocol in all its details. 

If a is not valid (disavowal) :li decryption failed, the confirmer chooses ' Gfl 
Zp and Gfl Zat such that (|) = 1 . Then he computes the following 

commitments 1 := f 2^, 2'-=h\li/fi, 3:= f 2^, 4:= 

^.4 Xl+X2nic,,c,,c) . 3 +^ 4 H(ci.C,C 3 )^ ^ ^.3 Gr Z„, 
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V 5 Zp, and V 4 Z^. He sends (1 2 3 4 5) to the verifier. 

Confirmer and verifier carry out the following protocol: 

CZK~PK^^{-f p K 1 2 3 1 14): 

1 = hjh^ A 2 = A 3 = hi A 

(( 4 = hi J{ W(ci.c 2 .c 3 ))p ^ ^ ^ ^ 

hr = 0 H"'""l 5 )"( 1 A 2 )"^) V 
{h\^= A 4 = 7 ( HCi.C 2 .C 3 )^A H(ci.c„ca)^p ^ 

(( 2 = /ir^ 2 ^A 1 = r 2"^ A 3 = r' 2^ A 

1 = ( 3/ P°-‘>-s{vn)y, A (1 < 1 < - 1 )) V 

( 2 = ( 1 Ai)“^^ 2 '’ A 1= r 2^" A 3= 2” A 

1 = ( 3/ (1 < 2 < - 1 )) V 

( ^ = hT'hT A ( < 3 <p- )))))} 

This protocol proves that either decryption fails or that both the encrypted 
value and p minus the encrypted value are either not in [1 — 1] or not a 

valid RSA signature with respect to , , , and Pads- 

Selective conversion: If ( 1 2 3 4) is a valid confirmer signature, then the con- 
firmer just return the decryption of ( 1 2 3 4) and otherwise answers _L. 

Remark 4- As the confirmation and the disavowal protocol involve double dis- 
crete logarithms, they are not very efficient because they use binary challenges. 
If batch verification technology [2] is incorporated, the computational load of 
both the verifier and the confirmer is about 20 times that of a similar proof 
with non-binary challenges. Furthermore, the protocol could be made more ef- 
ficient by allowing non-binary challenges for parts of the protocol. Moreover, if 
is small (e.g., 3 or 5), then there is a much more efficient way of proving the 
knowledge of a root of a discrete log (cf. [7]). 

5 Alternative Generic Solutions 

Although the two generic schemes presented in [21] are demonstrably insecure, 
they can both be modified such that they are provably secure in our model. 
In contrast to the scheme exhibited in Section 3, these schemes cannot provide 
perfect convertibility with respect to signature schemes such as RSA or DSS. 
However, they have instances where the confirmation and disavowal protocol 
is on order of magnitude more efficient than for the scheme described in the 
previous section. We note that the bi-proof proposed in [21] for disavowal is not 
computational zero-knowledge, however, it can be replaced by a similar proof 
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that is perfect zero-knowledge (we refer to the full version of this paper for 
details) . 

The first scheme in [21] is based on signature schemes that are derived from 3- 
move honest- verifier zero-knowledge proofs of knowledge. The Schnorr signature 
scheme [26] is a typical example thereof. If an encryption scheme secure against 
adaptive chosen-ciphertext attacks is used as confirmer commitment scheme and 
the public keys of the signer and the confirmer are appended to the message that 
is signed, then the resulting confirmer signature scheme can be proven secure in 
our model provided that the underlying 3-move proofs of knowledge have the 
property that the third message is uniquely defined by the first two messages. 

The second scheme in [21] is based on signature schemes that are existentially 
forgeable in their basic variant but become secure if a hash of the message is 
signed instead of the plain message. The RSA signature scheme is a typical 
representative for this class of signature schemes. Again, if an encryption scheme 
secure against adaptive chosen-ciphertext attacks is used, the public keys of the 
signer and the confirmer are appended to the message, and the signature scheme 
is deterministic, then the resulting confirmer signature scheme can be shown to 
be secure in our model. 

Details will be given in the forthcoming full version of this paper. 



6 Applications to Other Scenarios 

As mentioned in [21], confirmer signatures schemes with conversion can be used 
to realize fair contract signing schemes as follows. The trusted third party in 
the contract signing scheme plays the role of the confirmer. Furthermore, recall 
that a signer can always confirm a valid confirmer signature. Thus, a confirmer 
signature scheme together with a confirmation protocol for the signer can be used 
to replace the “verifiable signature encryption scheme” in [1]: the parties issue 
confirmer signatures and prove the correctness of their respective signatures. 
After this step, either the real signatures can be exchanged or, if this fails, they 
can ask the TTP /confirmer to convert the confirmer signatures (a suitable policy 
for the TTP / confirmer should be included in the signed messages) . The resulting 
optimistic fair contract signing scheme can be shown secure in the standard 
model (i.e., not in the random oracle model) if the security of the underlying 
signature scheme is assumed. 

It is also possible to employ the techniques used for our confirmer signature 
scheme for realizing verifiable signature sharing schemes [18]. In a nutshell, a 
promise to a signature is split into shares according to a given secret sharing 
scheme. Then each of the shares is encrypted (similarly as the ordinary signature 
in our confirmer signature scheme) and it is proved that the encrypted values 
are indeed correct shares. Such a proof is similar as the confirmation protocol 
exhibited in Section 4. This approach is possible for signature schemes such as 
RSA or DSS. The resulting scheme will enjoy separability and be secure against 
adaptive attackers while previous solutions were either insecure [18] or secure 
only in a non-adaptive model [8,19]. 
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A An Insecure Confirmer Signature Scheme 

This section show that the scheme due to Chen [11] is insecure because the 
confirmer can forge confirmer signatures of any message for an arbitrary signer. 
Let us review this scheme briefly. Public system parameters are a group 
= ( ) and a prime = | |. The signer’s public key is G and its secret 
key is = log^ . The confirmer’s public key is G and its secret key is w = 
logg . Furthermore, a suitable hash function TL is known. The signer generates 
a confirmer signature on by picking u k\ ^2 G_r Zg and computing ~ := 

" := 1 := ^= 1 , 2 := := 7t( 1 2 ), 1 := fci - u mod , and 2 := 

k^—u mod . The resulting confirmer signature on is given by ( 1 2 ' ")- 

It is valid if and only if = h{ and log^ " = logg . We refer to [11] 

for a discussion of how the confirmer confirms/disavows. 

This scheme is insecure because the confirmer can fake confirmer signatures 
for an arbitrary signer and message : He picks random values t 2 G_r Zg 
and computes := h{ * := /{w ) mod , ~ and 

I := t — mod .As * = and holds, ( 1 2 ~ ") is 

a confirmer signature on the message . This attack is possible although the 
security of the scheme is proved in [11]. The problem is that it is erroneously 
assumed in the security proof that the knowledge extractor learns o z", which 
is not necessarily the case. 
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Abstract. This paper addresses the security of public- key cryptosys- 
tems in a “multi-user” setting, namely in the presence of attacks involv- 
ing the encryption of related messages under different public keys, as 
exemplified by Hastad’s classical attacks on RSA. We prove that secu- 
rity in the single-user setting implies security in the multi-user setting as 
long as the former is interpreted in the strong sense of “indistinguishabil- 
ity,” thereby pin-pointing many schemes guaranteed to be secure against 
Hastad-type attacks. We then highlight the importance, in practice, of 
considering and improving the concrete security of the general reduction, 
and present such improvements for two Difiie-Hellman based schemes, 
namely El Carnal and Cramer-Shoup. 



1 Introduction 

Two Settings. The setting of public-key cryptography is usually presented like 
this: there is a receiver , possession of whose public key pk enables anyone to 
form ciphertexts which the receiver can decrypt using the secret key associated 
to pk. This single-user setting — so called because it considers a single recipient 
of encrypted data — is the one of formalizations such as indistinguishability and 
semantic security [9]. Yet it ignores an important dimension of the problem: in 
the real world there are many users, each with a public key, sending each other 
encrypted data. Attacks presented in the early days of public-key cryptography 
had highlighted the presence of security threats in this multi-user setting that 
were not present in the single-user setting, arising from the possibility that a 
sender might encrypt, under different public keys, plaintexts which although 
unknown to the attacker, satisfy some known relation to each other. 

Hastad’s Attacks. An example of the threats posed by encrypting related 
messages under different public keys is provided by Hastad’s well-known attacks 
on the basic RSA cryptosystem [10].^ Suppose we have many users where the 

^ As Hastad points out, the simple version of the attack discussed here was discovered 
by Blum and others before his work. His own paper considers extensions of the attack 
using lattice reduction [10]. For simplicity we will continue to use the term “Hastad’s 
attack(s)” to refer to this body of cryptanalysis. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 259-274, 2000. 
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public key of user i is an RSA modulus i and (for efficiency) all users use 
encryption exponent = 3. Given a single ciphertext i = rn? mod i, the 
commonly accepted one-wayness of the RSA function implies that it is com- 
putationally infeasible for an adversary to recover the plaintext m. However, 
suppose now that a sender wants to securely transmit the same plaintext m to 
three different users, and does so by encrypting m under their respective public 
keys, producing ciphertexts 123 where i = rn? mod i for i = 1 2 3. Then 
an adversary given 123 can recover m. (Using the fact that 123 are 
relatively prime, 123 can be combined by Chinese remaindering to yield 

mod 1 2 3- But < 1 2 3 so m can now be recovered.) 

Several counter-measures have been proposed, e.g. padding the message with 
random bits. The benefit of such measures is, however, unclear in that although 
they appear to thwart the specific known attacks, we have no guarantee of se- 
curity against other similar attacks. 

A General Reduction. The first and most basic question to address is whether 
it is possible to prove security against the kinds of attacks discussed above, and if 
so how and for which schemes. This question turns out to have a simple answer: 
the schemes permitting security proofs in the multi-user setting are exactly those 
permitting security proofs in the single-user setting, as long as we use “strong- 
enough” notions of security in the two cases. What is “strong-enough”? Merely 
having the property that it is hard to recover the plaintext from a ciphertext is 
certainly not: basic RSA has this property, yet Hastad’s attacks discussed above 
show it is not secure in the multi-user setting. Theorem 1 interprets “strong 
enough” for the single-user setting in the natural way: secure in the sense of in- 
distinguishability of Goldwasser and Micali [9] . As to the multi-user setting, the 
notion used in the theorem is an appropriate extension of indistinguishability 
that takes into account the presence of multiple users and the possibility of an 
adversary seeing encryptions of related messages under different public keys. We 
prove the general reduction for security both under chosen-plaintext attack and 
chosen-ciphertext attack, in the sense that security under either type of attack 
in one setting implies security under the same type of attack in the other set- 
ting. (The analogous statement can be shown with regard to non-malleability 
[7] under chosen-plaintext attack, and a simple way to extend our proof to that 
setting is to exploit the characterization of [5].) 

We view ourselves here as establishing what most theoreticians would have 
“expected” to be true. The proof is indeed simple, yet validating the prevailing 
intuition has several important elements and fruits beyond the obvious one of 
filling a gap in the literature, as we now discuss. 

Immediate Consequences. The above-mentioned results directly imply secu- 
rity guarantees in the multi-user setting for all schemes proven to meet the notion 
of indistinguishability, under the same assumptions that were used to estab- 
lish indistinguishability. This includes practical schemes secure against chosen- 
plaintext attack [8], against chosen-ciphertext attack [6], and against chosen- 
ciphertext attack in the random oracle model [4,12]. 
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These results confirm the value of using strong, well-defined notions of se- 
curity and help to emphasize this issue in practice. As we have seen, designers 
attempt to thwart Hastad-type attacks by specific counter-measures. Now we 
can say that the more productive route is to stick to schemes meeting notions of 
security such as indistinguishability. Designers are saved the trouble of explicitly 
considering attacks in the multi-user setting. 

The Model. The result requires, as mentioned above, the introduction of a 
new model and notion. We want to capture the possibility of an adversary see- 
ing encryptions of related messages under different keys when the choice of the 
relation can be made by the adversary. To do this effectively and elegantly turns 
out to need some new definitional ideas. Very briefly — see Section 3 for a full 
discussion and formalization — the formalization introduces the idea of an adver- 
sary given (all public keys and) a list of “challenge encryption oracles,” one per 
user, each oracle capable of encrypting one of two given equal-length messages, 
the choice of which being made according to a bit that although hidden from 
the adversary is the same for all oraclesf This obviates the need to explicitly 
consider relations amongst messages. This model is important because its use 
extends beyond Theorem 1, as we will see below. 

Isn’t Simulation Enough? It may appear at first glance that the implication 
(security in the single-user setting implies security in the multi-user setting for 
strong-enough notions of security) is true for a trivial reason: an adversary at- 
tacking one user can just simulate the other users, itself picking their public keys 
so that it knows the corresponding secret keys. This doesn’t work, and misses 
the key element of the multi-user setting. Our concern is an adversary that sees 
ciphertexts of related messages under different keys. Given a challenge ciphertext 
of an unknown message under a target public key, a simulator cannot produce a 
ciphertext of a related message under a different public key, even if it knows the 
secret key corresponding to the second public key, because it does not know the 
original message. Indeed, our proof does not proceed by this type of simulation. 

The Need for Concrete Security Improvements. Perhaps the most im- 
portant impact of the general reduction of Theorem 1 is the manner in which it 
leads us to see the practical importance of concrete security issues and improve- 
ments for the multi-user setting. 

Suppose we have a system of n users in which each user encrypts up to e 
messages. We fix a public-key cryptosystem V£ used by all users. Theorem 1 
says that the maximum probability that an adversary with running time t can 
compromise security in the multi-user setting — this in the sense of our definition 
discussed above — is at most times the maximum probability that an adver- 
sary with running time closely related to t can compromise security in the stan- 

^ An encryption oracle is used in definitions of security for private-key encryption [3] 
because there the encryption key is secret, meaning not given to the adversary. One 
might imagine that oracles performing encryption are unnecessary in the public-key 
case because the adversary knows the public keys: can’t it just encrypt on its own? 
Not when the message in question is a challenge one which it doesn’t know, as in 
our setting. 
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dard sense of indistinguishability. Notationally, e) < 

where t' « t. (Here / represents any possible information common to all users 
and should be ignored at a first reading, and the technical term for the “max- 
imum breaking probabilities” represented by the notation is “advantage”.) It 
follows that if any poly-time adversary has negligible success probability in the 
single-user setting, the same is true in the multi-user setting. This corollary is 
what we have interpreted above as saying that “the schemes secure in the single- 
user setting are exactly those secure in the multi-user setting”. However, what 
this theorem highlights is that the advantage in the multi-user setting may be 
more than that in the single-user setting by a factor of eU. Security can degrade 
linearly as we add more users to the system and also as the users encrypt more 
data. The practical impact of this is considerable, and in the full version of this 
work [2] we illustrate this with some numerical examples that are omitted here 
due to lack of space. 

We prove in Proposition 1 that there is no general reduction better than 
ours: if there is any secure scheme, there is also one whose advantage in the two 
settings provably differs by a factor of ^n. So we can’t expect to reduce the 
security loss in general. But we can still hope that there are specific schemes for 
which the security degrades less quickly as we add more users to the system. 
These schemes become attractive in practice because for a fixed level of security 
they have lower computational cost than schemes not permitting such improved 
reductions. We next point to two popular schemes for which we can provide new 
security reductions illustrating such improvements. 

El Gamal. The El Gamal scheme in a group of prime order can be proven 
to have the property of indistinguishability under chosen-plaintext attack (in 
the single-user setting) under the assumption that the decision Diffie-Hellman 
(DDH) problem is hard. (This simple observation is made for example in [11,6]). 
The reduction is essentially tight, meaning that the maximum probability that 
an adversary of time-complexity t can compromise the security of the El Gamal 
scheme in the single-user setting is within a constant factor of the probability of 
solving the DDH problem in comparable time. Theorem 1 then implies that the 
maximum probability of breaking the El Gamal scheme under chosen-plaintext 
attack in the presence of n users each encrypting e messages is bounded by 
2 eU times the probability of solving the DDH problem in comparable time. We 
show in Theorem 2 that via an improved reduction the factor of en can be 
essentially eliminated. In other words, the maximum probability of breaking the 
El Gamal scheme under chosen-plaintext attack, even in the presence of n users 
each encrypting e messages, remains tightly related to the probability of solving 
the DDH problem in comparable time. 

Our reduction exploits a self-reducibility property of the decisional Diffie- 
Hellman problem due to Stadler and Naor-Reingold [15,11], and a variant thereof 
that was also independently noted by Shoup [14]. See Lemma 1. 

Gramer-Shoup. The Cramer-Shoup scheme [6] is shown to achieve indistin- 
guishability under chosen-ciphertext attack (in the single-user setting) assuming 
the DDH problem is hard. Their reduction of the security of their scheme to that 
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of the DDH problem is essentially tight. Applying our general result to bound 
the advantage in the multi-user setting would indicate degradation of security by 
a factor of en. We present in Theorem 3 an improved reduction which (roughly 
speaking) reduces the factor of eti to a factor of e only. Thus the maximum 
probability of breaking the Cramer-Shoup scheme under chosen-ciphertext at- 
tack, in the presence of n users, each encrypting e messages, is about the same 
as is proved if there was only one user encrypting e messages. (The result is 
not as strong as for El Gamal because we have not eliminated the factor of e, 
but this is an open problem even when there is only one user.) This new result 
exploits Lemma 1 and features of the proof of security for the single-user case 
given in [6] . 

Discussion and Related Work. A special case of interest in these results 
is when n = 1. Meaning we are back in the single-user setting, but are looking 
at an extension of the notion of indistinguishability in which one considers the 
encryption of up to e messages. Our results provide improved security for the 
El Gamal scheme in this setting. 

The questions raised here can also be raised in the private-key setting: what 
happens there when there are many users? The ideas of the current work are 
easily transfered. The definitions of [3] for the single-user case can be adapted 
to the multi-user case using the ideas in Section 3. The analogue of Theorem 1 
for the private- key setting is then easily proven. 

Baudron, Pointcheval and Stern have independently considered the problem 
of public-key encryption in the multi-user setting [1]. Their notion of security for 
the multi-user setting — also proved to be polynomially-equivalent to the stan- 
dard notion of single-user indistinguishability — is slightly different from ours. 
They do not consider concrete-security or any specific schemes. (The difference 
in the notions is that they do not use the idea of encryption oracles; rather, their 
adversary must output a pair of vectors of plaintexts and get back as challenge a 
corresponding vector of ciphertexts. This makes their model weaker since the ad- 
versary does not have adaptive power. If only polynomial-security is considered, 
their notion, ours and the single-user one are all equivalent, but when concrete 
security is considered, our notion is stronger.) 

2 Definitions 

We specify a concrete-security version of the standard notion of security of a 
public-key encryption scheme in the sense of indistinguishability. We consider 
both chosen-plaintext and chosen-ciphertext attacks. 

First recall that a puhlic-key encryption scheme VS = {K. S V) consists of 
three algorithms. The key generation algorithm /C is a randomized algorithm 
that takes as input some global information / and returns a pair (pk sk) of 
keys, the public key and matching secret key, respectively; we write (pk sk) 
IC{I). (Here / includes a security parameter, and perhaps other information. 
For example in a Diffie-Hellman based scheme, / might include a global prime 
number and generator of a group which all parties use to create their keys.) 
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The encryption algorithm £ is a randomized algorithm that takes the public 
key pk and a plaintext to return a ciphertext ; we write Spk{ ). 

The decryption algorithm I? is a deterministic algorithm that takes the secret 
key sk and a ciphertext to return the corresponding plaintext ; we write 
^ T>sk{ )• Associated to each public key pk is a message space MsgSp(pk) 
from which is allowed to be drawn. We require that 'Dsk{£pk{ )) = for 
all e MsgSp(pJc). 

An adversary runs in two stages. In the “find” stage it takes the public 
key and outputs two equal length messages mo mi together with some state 
information s. In the “guess” stage it gets a challenge ciphertext formed by 
encrypting a random one of the two messages, and must say which message was 
chosen. Below the superscript of “1” indicates that we are in the single-user 
setting, meaning that although there may be many senders, only one person 
holds a public key and is the recipient of encrypted information. In the case of 
a chosen-ciphertext attack the adversary gets an oracle for T>sk{-) and is allowed 
to invoke it on any point with the restriction of not querying the challenge 
ciphertext during the guess stage [13]. 

Definition 1. [Indistinguishability of Encryptions] Let V£ = {JC S T>) be 

a public- key encryption scheme. Let be adversaries where the latter 

has access to an oracle. Let / be some initial information string. For =01 
define the experiments 

Experiment Expp£P/( ^pg ) Experiment Exp^“^“;( ^^g ) 

(pk sk) ^JC{I) ’ (P^ sk) ^ JC{I) 

(mo mi s) ^ cpa(find I pk) (mo mi s) ^ ®t^'^(find I pk) 

^ £pk{mb) ^ £pk{mb) 

^ cpa(guess s) ^ f,t^\guess s) 

Return Return 

It is mandated that jmo] = ]mij above. We require that ^.^.g not make oracle 
query in the guess stage. We define the advantage of ^.pg and ^.^.g, respec- 
tively, as follows: 

Adv^l]T( ,pg) = Pr [ Exp^-“P;( ,pg 0) = 0 ] - Pr [ Exp^““P;( ,pg 1) = 0 ' 

Adv^l“;( ,,g) = Pr [ Exp^l“( ^^g 0) = 0 ] - Pr [ Exp^-^““( ,,g 1) = 0 ] . 

We define the advantage function of the scheme for privacy under chosen-plain- 
text (resp. chosen- ciphertext) attacks in the single-user setting as follows. For 
any t o let 

Adv^-“P;(t) = max { Adv^-“P;( ,pg) } 

^cpa 

Adv^l“;(t o)=max{Adv^l“;( _) } 

^cca 

where the maximum is over all ^.pg (.^.g with “time-complexity” t, and, in the 
case of (.(.g, also making at most d queries to the T>sk{-) oracle. | 




Public-Key Encryption in a Multi-user Setting 265 



The “time-complexity” is the worst case execution time of the associated exper- 
iment plus the size of the code of the adversary, in some fixed RAM model of 
computation. (Note that the execution time refers to the entire experiment, not 
just the adversary. In particular, it includes the time for key generation, chal- 
lenge generation, and computation of responses to oracle queries if any.) The 
same convention is used for all other definitions in this paper and will not be 
explicitly mentioned again. The advantage function is the maximum likelihood 
of the security of the encryption scheme V£ being compromised by an adver- 
sary, using the indicated resources, and with respect to the indicated measure 
of security. 

Definition 2. We say that V£ is polynomially- secure against chosen-plaintext 
attack (resp. chosen-ciphertext attack) in the single-user setting if ) 

(resp. Advp“j( )) is negligible for any probabilistic, poly-time adversary 

Here complexity is measured as a function of a security parameter that is con- 
tained in the global input I. If I consists of more than a security parameter (as 
in the El Gamal scheme), we fix a probabilistic generator for this information 
and the probability includes the choices of this generator. 

3 Security in the Multi-user Setting 

We envision a set of n users. All users use a common, fixed cryptosystem VS = 
(/C £ V). User i has a public key pkj and holds the matching secret key ski. It 
is assumed that each user has an authentic copy of the public keys of all other 
users. 

As with any model for security we need to consider attacks (what the adver- 
sary is allowed to do) and success measures (when is the adversary considered 
successful) . The adversary is given the global information / and also the public 
keys of all users. The main novel concern is that the attack model must capture 
the possibility of an adversary obtaining encryptions of related messages under 
different keys. To have a strong notion of security, we will allow the adversary to 
choose how the messages are related, and under which keys they are encrypted. 
For simplicity we first address chosen-plaintext attacks only. 

Some Intuition. To get a start on the modeling, consider the following game. 
We imagine that a message m is chosen at random from some known distribu- 
tion, and the adversary is provided with £pk^{m), a ciphertext of m under the 
public key of user 1. The adversary’s job is to compute some partial information 
about m. To do this, it may, for example, like to see an encryption of m under 
pJcg. We allow it to ask for such an encryption. More generally, it may want to see 
an encryption of the bitwise complement of m under yet another key, or perhaps 
the encryption of an even more complex function of m. We could capture this 
by allowing the adversary to specify a polynomial-time “message modification 
function” and a user index , and obtain in response £pk^{ (w)), a cipher- 
text of the result of applying the modification function to the challenge message. 
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After many such queries, the adversary must output a guess of some partial 
information about m and wins if it can do this with non-trivial advantage. Ap- 
propriately generalized, these ideas can be used to produce a semantic-security 
type notion of security for the multi-user setting, but, as should be evident even 
from our brief discussion here, it would be relatively complex. We prefer an 
indistinguishability version because it is simpler and extends more easily to a 
concrete security setting. It is nonetheless useful to discuss the semantic security 
setting because here we model the attacks in which we are interested in a direct 
way that helps provide intuition. 

Indistinguishability Based Approach. The adversary is provided with all 
the public keys. But unlike in the single-user indistinguishability setting of 
Section 2, it will not run in two phases, and there will be no single challenge 
ciphertext. Rather the adversary is provided with n different oracles Oi ... On- 
Oracle i takes as input any pair mo mi of messages (of equal length) and com- 
putes and returns a ciphertext Spk.{rrib)- The challenge bit here (obviously 
not explicitly given to the adversary) is chosen only once at the beginning of 
the experiment and is the same across all oracles and queries. The adversary’s 
success is measured by its advantage in predicting . 

We suggest that this simple model in fact captures encryption of related mes- 
sages under different keys; the statement in the italicized text above is crucial in 
this regard. The possibility of the adversary’s choosing the relations between en- 
crypted messages is captured implicitly; we do not have to worry about explicitly 
specifying message modification functions. 

The Formal Definition. Formally, the left or right selector is the map LR 
defined by LR(mo mi ) = rrib for all equal-length strings mo mi, and for any 
€ {0 1}. The adversary A is given n oracles, which we call LR (left-or-right) 
encryption oracles, 

'£'pifi(LR(- • )) ... £pjf^(LR(- • )) 

where pk^ is a public key of the encryption scheme and is a bit whose value is 
unknown to the adversary. (LR oracles were first defined by [3] in the symmet- 
ric setting.) The oracle 5pi^(LR(- • )), given query (mo mi) where mo mi G 

MsgSp(pkj) must have equal length, first sets rrib ^ LR(mo mi ), meaning rrib 
is one of the two query messages, as dictated by bit . Next the oracle encrypts 
mb, setting ^ Spk.{mb) and returns as the answer to the oracle query. The 
adversary also gets as input the public keys and the global information I. 

In the case of a chosen-ciphertext attack the adversary is also given a de- 
cryption oracle with respect to each of the n public keys. Note we must disallow 
a query to T’sii(-) if is an output of oracle £pjf.(LR(- • )). This is neces- 
sary for meaningfulness since if such a query is allowed is easily computed, 
and moreover disallowing such queries seems the least limitation we can impose, 
meaning the adversary has the maximum meaningful power. Below we indicate 
the number n of users as a superscript. 
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Definition 3. Let VS = {JC S I?) be a public-key encryption scheme. Let 

be adversaries. Both have access to n > 1 oracles, each of which takes as 
input any two strings of equal length, and has access to an additional n 
oracles each of which take a single input. Let I be some initial information string. 
For =01 define the experiments: 

Experiment Expp7P/'(^^pg^ ) 

For z = 1 . . . rz do (pJcj ski) <— /C(/) EndFor 
^ pk^ ... pkj; Return 



Experiment Exp^77(yl^^3^ ) 

For z = 1 . . . rz do (pJcj ski) ^ IC{I) EndFor 

^ (LR(-, -, 6 )), (■) ^^ ^ 

Return 

It is mandated that a query to any LR oracle consists of two messages of equal 
length and that for each z = 1 . . . n adversary A^^^ does not query VskX') 
an output of £pjf^(LR(- • )) We define the advantage of A^^^, and the advantage 

of respectively, as follows: 



Adv™(^,pJ = Pr 



Exp 



(^cpa 0) = 0 



n-cpa 

vs, I v^cpa 



— Pr 



Exp 



(^cpa 1) = 0 



n-cpa 

vs, I v^cpa 



Adv^XT(^cca) = Pr [ Exp-^7(A,,, 0) = 0 ] - Pr [ Exp 



p|,T(^cca 1) = 0] . 



We define the advantage function of the scheme for privacy under chosen- plain- 
text (resp. chosen- ciphertext) attacks, in the multi-user setting, as follows. For 
any t e d let 



Adv7P/(t 
Adv77(t e 



e)=rnax{Adv7P/(7pJ} 

■^cpa 

d)=inax{Adv77(77} 



where the maximum is over all ^cpa ^cca with “time-complexity” t, making at 
most e queries to each LR oracle, and, in the case of also making at most 
d queries to each decryption oracle. | 



The advantage function is the maximum likelihood of the security of the sym- 
metric encryption scheme VS being compromised by an adversary, using the 
indicated resources, and with respect to the indicated measure of security. 

Remark 1. Notice that when zz = e = 1 in Definition 3, the adversary’s capabil- 
ity is limited to seeing a ciphertext of one of two messages of its choice under a 
single target key. Thus Definition 3 with zz = e = 1 is equivalent to Definition 1. 
We can view Definition 3 as extending Definition 1 along two dimensions: the 
number of users and the number of messages encrypted by each user. 



Definition 4. We say that VS is polynomially-secure against chosen-plaintext 
(resp. chosen- ciphertext) attack in the multi-user setting if Advp7**^(^) (resp. 

Adv7^“/'(^)) is negligible for any probabilistic, poly-time adversary A and poly- 
nomial zz. 
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Again complexity is measured as a function of a security parameter that is 
contained in the global input I, and the latter is generated by a fixed probabilistic 
polynomial-time generation algorithm if necessary. 

4 A General Reduction and Its Tightness 

Fix a public-key encryption scheme V£ = {K, £ T>). The following theorem 
says that the advantage of an adversary in breaking the scheme in a multi-user 
setting can be upper bounded by a function of the advantage of an adversary 
of comparable resources in breaking the scheme in the single-user setting. The 
factor in the bound is polynomial in the number n of users in the system and 
the number e of encryptions performed by each user, and the theorem is true 
for both chosen-plaintext attacks and chosen-ciphertext attacks. The proof of 
Theorem 1 is via a simple hybrid argument that is omitted here due to lack of 
space but can be found in the full version of this paper [2] . 

Theorem 1. LetV£ = {K. £ V) be a public-key encryption scheme. Letn e d 
t be integers and I some initial information string. Then 

e) < • AdVp|P/'(T) 

Advp£ e d) < err • Adv^'^j (t' d) 

where t' = t-\- (log( err))- I 

The relation between the advantages being polynomial, we obviously have the 
following: 

Corollary 1. Let V£ = {K. £ V) be a public-key encryption scheme that is 
polynomially-secure against chosen-plaintext (resp. chosen- ciphertext) attack in 
the single-user setting. Then V£ = {K. £ T>) is also polynomially-secure against 
chosen-plaintext (resp. chosen- ciphertext) attack in the multi-user setting. | 

Tightness of the Bound. We present an example that shows that in gen- 
eral the bound of Theorem 1 is essentially tight. Obviously such a statement is 
vacuous if no secure schemes exist, so first assume one does, and call it V£. We 
want to modify this into another scheme V£' for which Adv^^f e) is C( eu) 
times AdVp^Fj(f). This will be our counter-example. The following proposition 
does this, modulo some technicalities. In reading it, think of V£ as being very 
good, so that Advp^’y (t) is essentially zero. With that interpretation we indeed 
have the claimed relation. 

Proposition 1. Given any public-key encryption scheme V£ and integers n e 
we can design another public-key encryption V£' such that for any I and large 
enough t we have 

AdVp^'^f e) > 0.6 and AdVp^Fj(t) < — h Advp|’y'(t) . | 

qTI 

The proof of Proposition 1 is in [2]. An analogous result holds in the chosen- 
ciphertext attack case, and we omit it. 
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5 Improved Security for DH Based Schemes 



The security of the schemes we consider is based on the hardness of the Decisional 
Diffie-Hellman (DDH) problem. Accordingly we begin with definitions for latter. 



Definition 5. Let be a group of a large prime order and let be a generator 
of . Let be an adversary that on input and three elements G 

returns a bit. We consider the experiments 



Experiment ) 



9 I 
xy 



Return 



Experiment Exp 

R 

^ 9 i 

R 

^ 9 i 



Return 



ddh-rand 



( ) 



The advantage of in solving the Decisional Diffie-Hellman (DDH) problem 
with respect to , and the advantage of the DDH with respect to , are 
defined, respectively, by 



Adv^:i>'( )=Pr 



Q,9 



Exp 



Adv 



ddh 

9^9 



(f)=max{Adv^j,>'( )} 



ddh- real 

9.9 
ddh/ 
9.9 



( ) = i 



— Pr 



Exp 



ddh-rand 

9.9 



( ) = i 



where the maximum is over all 



with “time-complexity” t. | 



The “time-complexity” of is the maximum of the execution times of the two 
experiments Expg)^’'”''®®'*( ) and Exp^)^''”''“‘^( ), plus the size of the code for 
, all in our fixed RAM model of computation. 

A common case is that is a subgroup of order of * where is a prime 
such that divides —1. But these days there is much interest in the use of Diffie- 
Hellman based encryption over elliptic curves, where would be an appropriate 
elliptic curve group. Our setting is general enough to encompass both cases. 

Our improvements exploit in part some self-reducibility properties of the 
DDH problem summarized in Lemma 1 below. The case yf 0 below is noted 
in [15, Proposition 1] and [11, Lemma 3.2]. The variant with = 0 was noted 
independently in [14]. Below denotes the time needed to perform an expo- 
nentiation operation with respect to a base element in and an exponent in q, 
in our fixed RAM model of computation. A proof of Lemma 1 is in [2]. 

Lemma 1. Let he a group of a large prime order and let be a generator 
of . There is a probabilistic algorithm running in ( time such for 

any in q the algorithm takes input a b c returns a triple 

o- b c ^/jg properties represented by the following table are satisfied, 

where we read the row and column headings as conditions, and the table entries 
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as the properties of the outputs under those conditions: 





= 0 


^0 


= mod 


/ _ 

' is random 
' = ' ' mod 


' is random 
' is random 
' = ' ' mod 


yf mod 


/ 

' is random 
' is random 


' is random 
' is random 
' is random 



Here random means distributed uniformly over q independently of anything 
else. I 



El Gamal. As indicated above, our reduction of multi-user security to single- 
user security is tight in general. Here we will obtain a much better result for a 
specific scheme, namely the El Gamal encryption scheme over a group of prime 
order, by exploiting Lemma 1. We fix a group for which the decision Diffie- 

Hellman problem is hard and let (a prime) be its size. Let be a generator 
of . The prime and the generator comprise the global information / for 
the El Gamal scheme. The algorithms describing the scheme £Q = {JC S T>) are 
depicted below. The message space associated to a public key ( ) is the 

group itself, with the understanding that all messages from are properly 
encoded as strings of some common length whenever appropriate. 



Algorithm JC{ ) 



pk^{ ) 

sk^{ ) 

Return (pJc sk) 



Algorithm ) 



g 

V 



Return ( ) 



Algorithm T)q^g^^{ ) 



g,g:- 

-1 



Return 



We noted in Section 1 that the hardness of the DDH problem implies that the 
El Gamal scheme meets the standard notion of indistinguishability of encryp- 
tions (cf.[ll,6]), and the reduction is essentially tight: (t) is at most 

2Adv^‘)^*'(t). We want to look at the security of the El Gamal scheme in the 
multi-user setting. Directly applying Theorem 1 in conjunction with the above 
would tell us that 



Adv™^)(t e)<2 en-Adv^j^^O (1) 

where t' = t + (log( en)). This is enough to see that polynomial security of 
the DDH problem implies polynomial security of El Gamal in the multi-user 
setting, but we want to improve the concrete security of this relation and say 
that the security of the El Gamal scheme in the multi-user setting almost does 
not degrade with respect to the assumed hardness of the DDH problem. The 
following theorem states our improvement. 
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Theorem 2. Let be a group of a large prime order and let be a generator 
of the group . Let SQ = {K. £ T>) be the El Gamal public-key encryption scheme 
associated to these parameters as described above. Let n e t be integers. Then 

e) < 2.Adv^j,>'(0+- 

where t' = t { en ■ I 

The 1 / term is negligible in practice since is large, so the theorem is saying 
that the security of the encryption scheme is within a constant factor of that of 
the DDH problem, even where there are many users and the time-complexities 
are comparable. 

Proof of Theorem 2: Let A be an adversary attacking the El Gamal public- 
key encryption scheme £Q in the multi-user setting (cf. Definition 3). Suppose 
it makes at most e queries to each of its n oracles and has time-complexity 
at most t. We will design an adversary a for the Decisional Diffie-Hellman 
problem (cf. Definition 5) so that a has running time at most t' and 

Adv“'( U > ^■Adv5X„(A)-l. (2) 

The statement of theorem follows by taking maximums. So it remains to specify 
A. The code for a is presented in Figure 1. It has input , and also three 
elements € . It will use adversary A as a subroutine, a will provide 

for A as input public keys k\ . . . and global information and will 
simulate for A the n LR oracles, (LR(- • )) for z = 1 . . . n. We use the 
notation A — > (z mo mi) to indicate that A is making query (mo wi) to its 
z-th LR oracle, where 1 < i < n and |mo| = |mi|. We use the notation A ^ 
to indicate that we are returning ciphertext to A as the response to this LR 
oracle query. We are letting denote the algorithm of Lemma 1. 

An analysis of this algorithm — which is omitted here due to lack of space 
but can be found in [2] — shows that 

Pr [ Exp^ ) = 1 ] = i + i . Adv™ (A) . (3) 

and 

Pr[Exp^“( ) = l] < = i + 1. (4) 

Subtracting Equations (3) and (4) we get Equation (2). □ 

Cramer-Shoup. Now we consider another specific scheme, namely the prac- 
tical public-key cryptosystem proposed by Cramer and Shoup, which is secure 
against chosen-ciphertext attack in the single-user setting as shown in [6]. We 
are interested in the security of this scheme (against chosen-ciphertext attack) 
in the multi-user setting. Let us define the basic scheme. Let be a group of 
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Adversary VA(q, g, ^ , y, K ) 

6 -{ 0 , 1 } 

For i = 1 , . . . , n do 

{X'[ 1 ],Y'[ 1 ],K'[ 1 ]) ^ R{q,g,X,Y,K,l) ; ph - {q,g,X'[l]) ; ctn ^ 0 
For j = 2 ,... , Qe do 

{X[\j],Yl[j],K'm - R{q,g,X[[l],Yl[l],K[[l], 0 ) 

EndFor 

EndFor 

Run A replying to oracle queries as follows: 

A {i, mo, mi) [!<*<« and mo, mi G G] 
ctri ^ ctri + 1 ; Wi ^ A'fctri] • m6 
A ^ (Y/[ctri],Wi[ctri]) 

Eventually A halts and outputs a bit d 
If 6 = d then return 1 else return 0 



Fig. 1. Distinguisher D A in proof of Theorem 2 , where R is the algorithm of Lemma 1 . 



a large prime order and let be a generator of . The prime and the gen- 
erator comprise the global information / for the scheme. Let be a family 
of collision-resistant hash functions, each member of which maps strings of ar- 
bitrary length to the elements of q. The message space is the group . The 
algorithms describing the scheme CS = {JC S T>) are defined as follows: 



Algorithm /C( ) 


Algorithm Spk{ ) 


Algorithm T>sfc( ) 


R 

1 ^ ; 2 ^ 


R 

^ q 


parse as (ui U2 v) 




Ui ^ 1 


— (Ul U 2 ) 


R 

12 12 ^ q 


T 

U2 — 2 


If = 


Xi X2 
^ 1 2 


— 


then <— /ui^ 


, yi V2 
12 


— (Ul U 2 ) 


else reject 


/i- f 


y ^ r roc 


Return 


pk — ( 1 2 h) 


— (ui U2 v) 




sk — ( 1 2 1 2 ) 


Return 




Return (pJc sk) 







Although Cramer and Shoup do not explicitly state the concrete security of their 
reduction, it can be gleaned from the proof in [6, Section 4 ]. Their reduction is 
essentially tight. In our language: 

Advi-57,,,) {t d) < 2 • Adv^:^^^) + 2 . Adv^^f) + . ( 5 ) 

as long as d < / 2 . The first term represents the advantage of the scheme in the 
single-user setting under chosen-ciphertext attack. Note that in this attack mode 
a new parameter is present, namely the number d of decryption queries made 
by the adversary, and hence the advantage is a function of this in addition to 
the time t. (Definition 1 has the details.) We are using Adv^(t) to represent the 
maximum possible probability that an adversary with time t can find collisions in 
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a random member of the family Ti.. The last term in Equation (5) is negligible 
because is much bigger than u in practice, which is why we view this reduction 
as tight. Moving to the multi-user setting, Theorem 1 in combination with the 
above tells us that 

e d)<2- en • Adv^j;'(0 + 2 • en-Adv^-(0 + ^ 

where t' = t-|-(log( en)). The first term represents the advantage of the scheme in 
the multi-user setting under chosen-ciphertext attack, with n users, e encryption 
queries per user, and d decryption queries per user. Our improvement is the 
following. 

Theorem 3. Let be a group of a large prime order . Let H be a family 
of collision-resistant hash function, each member of which maps from {0 1}* 
into q. Let be a generator of . Let CS = {1C S T>) be the Cramer-Shoup 
public-key encryption scheme associated to these parameters as defined above. 
Let n e d t be integers with d < /2. Then 

e d) < 2 e • Adv^j^^t') + 2 e • Adv^^f') + 

where t' = t-\- {n ■ I 

Note that the last term is negligible for any reasonable values of n e d due to 
the fact that is large. So comparing with Equation (5) we see that we have 
essentially the same proven security for n users or one user when each encrypts 
e messages. 

The reduction we got for Cramer-Shoup is not as tight as the one we got 
for El Carnal. We did not avoid the factor of e in a degradation of security of 
Cramer-Shoup for the multi-user setting. However it is still an open problem 
to avoid the factor of e even when there is only a single user encrypting e 
messages, so our result can be viewed as the optimal extension to the multi-user 
setting of the known results in the single-user setting. 

To obtain this result we use Lemma 1 and modify the simulation algorithm 
from [6]. We provide a full proof and discuss the difficulties in improving the 
quality of the reduction in [2] . 
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Abstract. The cryptosystem recently proposed by Cramer and Shoup 
[CS98] is a practical public key cryptosystem that is secure against adap- 
tive chosen ciphertext attack provided the Decisional Difiie-Hellman as- 
sumption is true. Although this is a reasonable intractability assumption, 
it would be preferable to base a security proof on a weaker assumption, 
such as the Computational Difiie-Hellman assumption. Indeed, this cryp- 
tosystem in its most basic form is in fact insecure if the Decisional Diffie- 
Hellman assumption is false. In this paper we present a practical hybrid 
scheme that is just as efficient as the scheme of of Cramer and Shoup; 
indeed, the scheme is slightly more efficient than the one originally pre- 
sented by Cramer and Shoup; we prove that the scheme is secure if the 
Decisional Diffie-Hellman assumption is true; we give strong evidence 
that the scheme is secure if the weaker. Computational Diffie-Hellman 
assumption is true by providing a proof of security in the random oracle 
model. 



1 Introduction 

It is largely agreed upon in the cryptographic research community that the 
“right” definition of security for a public key cryptosystem is security against 
adaptive chosen ciphertext attack, as defined by Rackoff and Simon [RS91] and 
Dolev, Dwork, and Naor [DDN91]. At least, this is the definition of security that 
allows the cryptosystem to be deployed safely in the widest range of applications. 

Dolev, Dwork, and Naor [DDN91] presented a cryptosystem that could be 
proven secure in this sense using a reasonable intractability assumption. How- 
ever, their scheme was quite impractical. Subsequently, Bellare and Rogaway 
[BR93,BR94] presented very practical schemes, and analyzed their security un- 
der the standard RSA assumption; more precisely, they proved the security of 
these schemes in the random oracle model, wherein a cryptographic hash function 
is treated as if it were a “black box” containing a random function. However, 
the security of these schemes in the “real world” (i.e., the standard model of 
computation) has never been proved. 

A proof of security in the random oracle model provides strong evidence that 
breaking the scheme without breaking the underlying intractability assumptions 
will be quite difficult to do, although it does not rule out this possibility alto- 
gether. The advantage of a proof of security in the “real world” is that it does not 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 275-288, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 




276 Victor Shoup 



just provide such strong evidence, it proves that the scheme cannot be broken 
without breaking the underlying intractability assumptions. 

Recently, Cramer and Shoup [CS98] presented a practical cryptosystem and 
proved its security in the standard model, based on the Decisional Diffie-Hellman 
(DDH) assumption. It is hard to compare the security of this scheme with that 
of the schemes of Bellare and Rogaway — although the former scheme can be 
analyzed in the “real world,” and the latter schemes only in the random oracle 
model, the underlying intractability assumptions are incomparable. Indeed, a 
proof of security is worthless if the underlying assumptions turn out to be false, 
and in fact, both the Cramer-Shoup scheme (in its basic form) and the Bellare- 
Rogaway schemes can be broken if their respective assumptions are false. 

Perhaps the strongest criticism against the Cramer-Shoup scheme is that the 
assumption is too strong; in particular, it has not been studied as extensively as 
other assumptions, including the RSA assumption. 

In this paper, we address this criticism by presenting a hybrid variation of 
the Cramer-Shoup scheme. This scheme is actually somewhat simpler and more 
efficient than the original, and a proof of security in the “real world” can also 
be made based on the DDH assumption. However, the same scheme can also be 
proved secure in the random oracle model based on the Computational Diffie- 
Hellman (CDH) assumption. This assumption was introduced by Diffie and Hell- 
man [DH76] in their work that opened the field of public key cryptography, and 
has been studied at least as intensively as any other intractability assumption 
used in modern cryptography. Thus, in comparison to other available practical 
encryption schemes, the scheme discussed here is arguably no less secure, while 
still admitting a proof of security in the “real world” under a reasonable, if 
somewhat strong, intractability assumption. 

We believe this “hedging with hash” approach may be an attractive design 
paradigm. The general form of this approach would be to design practical cryp- 
tographic schemes whose security can be proved in the “real world” based on 
a reasonable, if somewhat strong, intractability assumption, but whose security 
can also be proved in the random oracle model under a weaker intractability 
assumption. This same “hedging with hash” security approach has also been 
applied to digital signature schemes: Cramer and Shoup [CS99] presented and 
analyzed a practical signature scheme that is secure in the “real world” under 
the so-called Strong RSA assumption, but is also secure in the random oracle 
model under the ordinary RSA assumption. Although that paper and this paper 
both advocate this “hedging with hash” security approach, the technical details 
and proof techniques are quite unrelated. In the context of encryption or signa- 
tures, one can also “hedge” just by combining two schemes based on different 
intractability assumptions (via composition for encryption and via concatenation 
for signatures) . However, this type of hedging is much more expensive compu- 
tationally, and much less elegant than the type of hedging we are advocating 
here. 

Other Dijfie- Heilman Based Encryption Schemes. [TY98] present a scheme, but 
it cannot be proved secure against adaptive chosen ciphertext attack under any 
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intractability assumption, even in the random oracle model. There is indeed a 
security analysis in [TY98], but rather than basing the proof of security on the 
hardness of a specific problem, it is based on the assumption that the adver- 
sary behaves in a specific way, similar to as was done in [ZS92] . [SG98] present 
two schemes; the first can be proved secure against adaptive chosen ciphertext 
attack in the random oracle model under the CDH, while the proof of security 
for the second relies on the DDH. Both schemes are amenable to distributed 
decryption. Moreover, the techniques in the current paper can be applied to the 
second scheme to weaken the intractability assumption, replacing the DDH with 
the CDH (but not the distributed version). [SG98] also discusses an encryption 
scheme that is essentially the same as that in [TY98], and argues why it would 
be quite difficult using known techniques to prove that such is scheme is secure 
against adaptive chosen ciphertext attack even in the random oracle model. 
[ABR98] present a scheme for which security against adaptive chosen ciphertext 
attack can only be proved under non-standard assumptions — these assumptions 
relate to the hardness of certain “interactive” problems, and as such they do not 
qualify as “intractability assumptions” in the usual sense of the term. Further- 
more, using random oracles does not seem to help. [F099] present a scheme that 
can be proven secure against adaptive chosen ciphertext attack under the GDH 
assumption in the random oracle model. Moreover, they present a fairly gen- 
eral method of converting any public-key encryption scheme that is semantically 
secure into one that can be proved secure against adaptive chosen ciphertext 
attack in the random oracle model. However, nothing at all can be said about 
the security of this scheme in the “real world.” 



2 Security against Adaptive Chosen Ciphertext Attack 

We recall the definition of security against adaptive chosen ciphertext attack. 

We begin by describing the attack scenario. 

First, the key generation algorithm is run, generating the public key and 
private key for the cryptosystem. The adversary, of course, obtains the public 
key, but not the private key. 

Second, the adversary makes a series of arbitrary queries to a decryption 
oracle. Each query is a ciphertext that is decrypted by the decryption oracle, 
making use of the private key of the cryptosystem. The resulting decryption is 
given to the adversary. The adversary is free to construct the ciphertexts in an 
arbitrary way — it is certainly not required to compute them using the encryption 
algorithm. 

Third, the adversary prepares two messages o i> and gives these two an 
encryption oracle. The encryption oracle chooses G {0 1} at random, encrypts 
b, and gives the resulting “target” ciphertext ' to the adversary. The adver- 
sary is free to choose o and i in an arbitrary way, except that if message 
lengths are not fixed by the cryptosystem, then these two messages must never- 
theless be of the same length. 
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Fourth, the adversary continues to submit ciphertexts to the decryption 
oracle, subject only to the restriction that ^ . 

Just before the adversary terminates, it outputs ' G {0 1}, representing its 
“guess” of . 

That completes the description of the attack scenario. 

The adversary’s advantage in this attack scenario is defined to be the distance 
from 1 /2 of the probability that ' = . 

A cryptosystem is defined to be secure against adaptive chosen ciphertext 
attack if for any efficient adversary, its advantage is negligible. 

Of course, this is a complexity-theoretic definition, and the above description 
suppresses many details, e.g., there is an implicit security parameter which tends 
to infinity, and the terms “efficient” and “negligible” are technical terms, defined 
in the usual way. One can work in a uniform (i.e., Turing machines) or a non- 
uniform model (i.e., circuits) of computation. This distinction will not affect any 
results in this paper. 

3 Intractability Assumptions 

In this section, we discuss the intractability assumptions used in this paper. 

Let be a group of large prime order . 

The Discrete Logarithm (DL) problem is this: given G with 1 and 

compute (modulo ). 

The Computational Diffie-Hellman (CDH) problem is this: given G with 
1, along with and compute A “good” algorithm for this problem is 
an efficient, probabilistic algorithm such that for all inputs, its output is correct 
with all but negligible probability. The CDH assumption is the assumption that 
no such “good” algorithm exists. Using well-known random-self reductions, along 
with the results of [MW96] or [Sho97], the existence of such a “good” algorithm 
is equivalent to the existence of a probabilistic algorithm that outputs a correct 
answer with non-negligible probability, where the probability is taken over the 
coin flips of the algorithm, as well as a random choice of G , and G Z^. 

The Decisional Diffie-Hellman (DDH) problem is this: given G with 
1, along with and ^ decide if = mod . A “good” algorithm is 

an efficient, probabilistic algorithm such that for all inputs, its output is correct 
with all but negligible probability. The DDH assumption is the assumption that 
no such “good” algorithm exists. Using the random-self reduction presented 
by Stabler [Sta96], the existence of such a “good” algorithm is equivalent to 
the existence of a probabilistic statistical test distinguishing the distributions 
( ® y ^) and ( y ®^), where G , and G are randomly 

chosen. 

All of these problems are equally hard in a “generic” model of computation, 
where an algorithm is not allowed to exploit the representation of the group 
[Sho97] ; in this model, (y^) group operations are both necessary and sufficient. 
However, for specific groups, special methods, such as “index calculus” methods, 
may apply, allowing for more efficient algorithms. 
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In general, the only known way to solve either the CDH or DDH problems is 
to first solve the DL problem. However, there remains the possibility that the DL 
problem is hard and the CDH problem is easy, or that the CDH problem is hard, 
and the DDH problem is easy. Maurer [Mau94] has shown that under certain 
circumstances, an algorithm for solving the CDH problem can be used to solve 
the DL problem. This reduction is a “generic” reduction that does not depend 
on the representation of the group . It can also be shown that there is no such 
generic reduction allowing one to efficiently solve the CDH or DL problems using 
an algorithm for the DDH problem. This fact could be considered as evidence 
supporting the claim that the DDH assumption is possibly stronger than the 
CDH assumption. 

It is perhaps worth stressing that although the DDH may be a stronger 
assumption than either the DL or CDH assumption, these latter two “usual” 
assumptions have rarely, if ever, been used to prove the security of a practical 
cryptographic scheme of any kind — except in the random oracle model. Indeed, it 
appears to be a widely held misconception that the security of the Diffie-Hellman 
key exchange protocol [DH76] and variants thereof (e.g., [DvOW92]) is implied 
by the CDH assumption. This is simply not the case — under any reasonable 
definition of security, except in the random oracle model. One can use the DDH 
assumption, however, as the basis for proving the security of such schemes (see, 
e.g., [BCK98,Sho99]). 

The DDH assumption appears to have first surfaced in the cryptographic 
literature in [Bra93]. For other applications and discussion of the DDH, see 
[Bon98,NR97]. 

As in the previous section, we have suppressed many details in the above 
discussion, e.g., there is an implicit security parameter that tends to infinity, 
and for each value of the security parameter, there is an implicit probability 
distribution of groups. 

4 The Encryption Scheme 

4.1 The Basic Cramer-Shoup Scheme 

We recall the basic Cramer-Shoup cryptosystem, as presented in [CS98]. The 
cryptosystem works with a group of large prime order . 

Key Generation. The key generation algorithm runs as follows. Random elements 
1 2 € \{1} &re chosen, and random elements 

12 12 G Zq 

are also chosen. Next, the group elements 

X'Z yi V2 Z 

— 12 ~12 —I 

are computed. Finally, a random key k indexing a universal one-way hash func- 
tion UOWH is chosen. We assume that the output of the hash function is 
an element of Z^. The public key is ( i 2 k), and the private key is 
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Encryption. To encrypt, we assume a message can be encoded as an element of 
. The encryption algorithm runs as follows. First, it chooses G at random. 
Then it computes 

ui= I U2= I = =UOWH(fc;ui U2 ) u = ™ 

The ciphertext is 

(ui U2 v) 

Decryption. Given a ciphertext {u\ U 2 v), the decryption algorithm runs as 
follows. It first computes = UOWH(fc; ui U 2 ), and tests if 

If this condition does not hold, the decryption algorithm outputs “reject”; oth- 
erwise, it outputs 

= /< 

In [CS98], it was shown that this scheme is secure against adaptive chosen 
ciphertext attack, under the DDH assumption for , and assuming UOWH is 
a secure universal one-way hash function. Although there are theoretical con- 
structions for UOWH [NY89], a reasonable construction would be to use the 
compression function of SHA-1, in conjunction with the constructions in [BR97] 
or [ShoOO]. With this approach, the security of UOWH can be based on the 
assumption that the SHA-1 compression function is second-preimage collision 
resistant, a potentially much weaker assumption than full collision resistance. 



4.2 A General Hybrid Construction 

We describe here a general method for constructing a hybrid encryption scheme. 
To this end, it is convenient to define the notion of a key encapsulation scheme. 
This is a scheme that allows a party to generate a random bit string and send 
it to another party, encrypted under the receiving party’s public key. 

A key encapsulation scheme works just like a public key encryption scheme, 
except that the encryption algorithm takes no input other than the recipient’s 
public key. Instead, the encryption algorithm generates a pair ( ), where 

is a random bit string of some specified length, say , and is an encryption of 
, that is, the decryption algorithm applied to yields 

One can always use a public key encryption scheme for this purpose, gener- 
ating a random bit string, and then encrypting it under the recipient’s public 
key. However, as we shall see, one can construct a key encapsulation scheme in 
other ways as well. 

One can easily adapt the notion of security against adaptive chosen cipher- 
text attack to a key encapsulation scheme. The only difference in the attack 
scenario is the behavior of the encryption oracle. The adversary does not give 
two messages to the encryption oracle. Rather, the encryption oracle runs the 
key encapsulation algorithm to obtain a pair ( ' '). The encryption oracle 
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then gives the adversary either ( ' ') or ( " '), where " is an indepen- 
dent random -bit string; the choice of ' versus " depends on the value of 
the random bit chosen by the encryption oracle. 

Using a key encapsulation scheme that is secure against adaptive chosen 
ciphertext attack, we can construct a hybrid public key cryptosystem that is 
secure against adaptive chosen ciphertext attack as follows. 

We need a pseudo-random bit generator PRBG. There are theoretical con- 
structions for such a generator, but a perfectly reasonable approach is to con- 
struct the generator using a standard block cipher, such as DES, basing its se- 
curity on a reasonable pseudo-randomness assumption on the underlying block 
cipher. We assume that PRBG stretches -bit strings to strings of arbitrary length. 
We assume here that 1 /2^ is a negligible quantity. 

We need a hash function AXUH suitable for message authentication, i.e., an 
almost XOR- universal hash function [Kra94]. We assume that AXUH is keyed 
by an string and hashes arbitrary bit strings to -bit strings. Many efficient 
constructions for AXUH exist that do not require any intractability assumptions. 

To encrypt a message , we run the key encapsulation scheme to obtain a 
random string along with its encryption . Next, we apply PRBG to to 
obtain an '-bit string i, an -bit string 2 > and an | |-bit string . Finally, 
we compute 

= 0 =AXUH( i; )© 2 

The ciphertext is 

( ) 

To decrypt ( ), we first decrypt to obtain . Note that decrypting 

may result in a “reject,” in which case we “reject” as well. Otherwise, we apply 
PRBG to to obtain an '-bit string i, an -bit string 2 , and an | | -bit string 
. We then test if = AXUH( 1 ; ) © 2 - If this condition does not hold, we 

“reject.” Otherwise, we output = © . 

Theorem 1. Ij the underlying key encapsulation scheme is secure against adap- 
tive chosen ciphertext attack, and PRBG is a secure pseudo-random bit generator, 
then the above hybrid scheme is also secure against adaptive chosen ciphertext 
attack. 

This appears to be somewhat of a “folk theorem.” The proof is straightfor- 
ward, and is left as an easy exercise for the reader. 

4.3 A Hybrid Cramer-Shoup Scheme 

We now describe a key encapsulation scheme based on the Cramer-Shoup en- 
cryption scheme. Combined with the general hybrid construction in §4.2, this 
yields a hybrid encryption scheme. As a hybrid scheme, it is much more flexible 
than the “basic” version of the scheme described in §4.1, as messages may be 
arbitrary bit strings and do not need to be encoded as group elements. This 
flexibility allows one greater freedom in choosing the group , which can be ex- 
ploited to obtain a much more efficient implementation as well. Also, the scheme 
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we describe incorporates some modifications that lead to a simpler and more 
efficient decryption algorithm. 

We need a pair-wise independent hash function PIH. We assume that PIH 
takes a key and maps elements G to -bit strings. Many efficient construc- 
tions for PIH exist that do not require any intractability assumptions. We will 
want to apply the Entropy Smoothing Theorem (see [Lub96, Ch. 8] or [IZ89]) to 
PIH, assuming that the input is a random group element. To do this effectively, 
the relative sizes of and must be chosen appropriately, so that a/ 2Y is a 
negligible quantity. 

We also need a “magic” hash function MH mapping elements of x to 
-bit strings. This function is not required to satisfy any particular security 
requirements. A construction using a cryptographic hash like MD5 or SHA-1 is 
recommended (see [BR93]). This function will only play a role when we analyze 
the scheme in the random oracle model, where MH will be modeled as a random 
oracle. 

Now we are ready to describe the key encapsulation scheme. 

Key Generation. A random element i G \{1} is chosen, together with w G 
Zq\{0} and G Z^. Next, the following group elements are computed: 

w X y z 

2—1 — 1 — 1 — 1 



Finally, a random key k indexing a universal one-way hash function UOWH is 
chosen, as well as a random key for PIH; the public key is ( i 2 k ). 

Key Encapsulation. The key encapsulation scheme runs as follows. First, it 
chooses G Zq at random. Then it computes 



ui= I U 2 = 2 =UOWH(fc;ui U2) u= ” ™ 



Finally, it computes 



==PIH( ; )0MH(ui ) 



The ciphertext is 



(Ui U2 V) 



which is an encryption of the key 



r 



Decryption. Given a ciphertext (ui U 2 v), the decryption algorithm runs as fol- 
lows. It first computes = UOWH(fc; ui U 2 ), and tests if 



U 2 = u 



W 

1 



1 X-\-OiV 

and V = Ui 



If this condition does not hold, the decryption algorithm outputs “reject” and 
halts. Otherwise, it computes = uf, outputs the key = PIH( ; )©MH(ui ). 



Theorem 2. The above key encapsulation scheme is secure against adaptive 
chosen ciphertext attack, under the DDH assumption for , and also assuming 
that UOWH is a secure universal one-way hash function. 
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We only briefly sketch the proof, as it differs only slightly from the proof of 
the main theorem in [CS98]. The structure of the proof is as follows. We make a 
sequence of transformations to the attack game. In each of these transformations, 
we argue that we affect the adversary’s advantage by a negligible amount, and in 
the final transformed game, the adversary’s advantage is zero. The original game 
is denoted Go, and the transformed games are denoted Gi, for =12 

First, some notation. Let ' = {u'l u'2 v') be the “target” ciphertext. For 
notational convenience and clarity, the internal variables used by the encryption 
algorithm in generating the target ciphertext will also be referred to in “primed” 
form, e.g., the value of for the target ciphertext is denoted '. Also, we will call 
a ciphertext (ui U2 v) valid if log^^ ui = logg^ ^2; otherwise, it is called invalid. 

In game Gi, we change the key generation algorithm as follows. It chooses 
random 1 26 \{l}ctt random, along with 

1 21212CZq 

Next, it computes the following group elements: 

_ X1 X2 _ yi V 2 _ Zl Z2 

— 12 ~12 ~12 

It chooses the keys k and as before, and the public key is ( 1 2 k ). 

We also modify the decryption oracle as follows. Given a ciphertext (ui U2 v), 
it computes = UOWH(fc; ui U2), and tests if 

If this condition does not hold, the decryption oracle outputs “reject.” Otherwise, 
it computes = and outputs the key = PIH( ; ) 0 MH(ui ). 

We now claim that the adversary’s advantage in game Gi differs from its 
advantage in game Go by a negligible amount. The argument is runs along the 
same lines as that of the proof of Lemma 1 in [CS98] . That is, these two games are 
equivalent up to the point where an invalid ciphertext is not rejected; however, 
the probability that this happens is negligible. 

In game G2, we modify the encryption oracle, simply choosing u[ u'2 G at 
random, setting 

V' = 

and computing the rest of the target ciphertext as usual. 

It is clear that under the DDH assumption, the adversary’s advantage in 
game G2 differs from its advantage in game Gi by a negligible amount. 

In game G3, we move the computation of the target ciphertext ' = 
{u'l u'2 v') to the very beginning of the game, and if the adversary ever submits 
a ciphertext = {u\ U2 v) to the decryption oracle with {u\ U2) yf (ui u'2), but 
with = ' , we simply halt the game. 

It is clear that under the security assumption for UOWH, adversary’s advan- 
tage in game G3 differs from its advantage in game G2 by a negligible amount. 
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In game G 4 , we modify the encryption oracle yet again, choosing ' as a 
random group element. 

That this only has a negligible impact on the adversary’s advantage follows 
from the line of reasoning in the proof of Lemma 2 in [CS98] . That is, these two 
games are equivalent up to the point where an invalid ciphertext is not rejected 
(provided logg^ u'l yf logga ^ 2)1 however, the probability that this happens is 
negligible (this makes use of the fact that no collisions in UOWH are found). 

In game G 5 , we modify the encryption oracle again, this time choosing ' 
as a random -bit string. 

This modification only has a negligible impact on the adversary’s advantage. 
Indeed, since PI H is a pair-wise independent hash function, so is the function 

PIH( ; ) 0 MHK ) 

where we view ( u() as the key to this hash function. By the Entropy Smoothing 

Theorem, the value ' = PIH( ; ')©MH(u( ') is statistically indistinguishable 

from a random -bit string. 

It is clear that in game G 5 , the adversary’s advantage is zero. That completes 
the proof of the theorem. 

Theorem 3. Modeling MH as a random oracle, the above key encapsulation 
scheme is secure against adaptive chosen ciphertext attack, under the CDH as- 
sumption for , and also assuming that UOWH is a secure universal one-way 
hash function. 

To prove this theorem, suppose there is an adversary that has a non-negligible 
advantage in the attack game. Now, Theorem 2 remains valid, even if we replace 
MH by a random oracle. So assuming the security properties of UOWH, the 
existence of an efficient adversary with non-negligible advantage implies the ex- 
istence of an efficient algorithm for solving the DDH problem in . In fact, 
the proof of Theorem 2 shows how to construct such an algorithm using the 
adversary as a subroutine; though technically “efficient,” this may not be the 
most practical algorithm for solving the DDH problem in ; a more practical 
algorithm would certainly make the simulator we describe below more efficient. 

In any case, we assume we have an efficient algorithm solving the DDH 
problem. To be precise, define the function DHP( ^ ^ to be 1 if yfl 

and = mod , and 0 otherwise. Then our assumption is that there is an 
efficient probabilistic algorithm that on all inputs computes DHP correctly, with 
negligible error probability. 

Now we show how to use such an algorithm for DHP, together with an ad- 
versary that has non-negligible advantage in the attack game, to construct an 
efficient algorithm for solving the CDH problem. We assume that the instance of 
the CDH problem consists of randomly chosen group elements 1 u'l G (with 
1 yf 1), and our goal is to compute ' G such that DHP( 1 0 = 1- 

We describe a simulator that simulates the adversary’s view in the attack 
game. The input to the simulator is 1 u'l G as above. 
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The simulator constructs a public key for the cryptosystem as follows. It 
chooses w G Zq\{l} at random and sets 2 = It chooses G Zg at 
random, and computes = f = f G , It also generates a random key k for 
UOWH and a random key for PIH. The public key is ( 1 2 k ). 

The simulator is in complete control of the random oracle representing MH. 
We maintain a set (initially empty) of tuples 

(ui ) G X X {0 1}' 

representing the portion of MH that has been defined so far. That is, MH(ui ) is 
defined to be if and only if {m ) G . We also maintain the subset ddh C 
of tuples (ui ) satisfying the additional constraint that DHP( 1 ui ) = 
1 . We also maintain a set ' (initially empty) of pairs 

(ui ) G X {0 1}' 

To process a request to evaluate the random oracle at a point {u\ ) G x , 

the simulator executes the algorithm shown in Figure 1 . 



if (mi, \,v) £ S for some v G {0, 1}* 
return v 

else if DHP((?i, ui, h,A) — 0 { 

{ 0 , 1 }' 

SU{(mi,A, u)} 
return v 

} 

else if Ml = u'l 

output the solution A = A' to the CDH problem and halt 

else { 

if (ui,K) G S' for some K G {0, 1}' 

A© PIH(^;A) 

else 

R^r { 0 , 1 }' 

Su{(mi,A, r)} 

Sddh ^ Sddh U {(mi, a, r)} 
return ly 

} 



Fig. 1. Simulator’s algorithm to evaluate random oracle at (ui ). 



The manner in which pairs are added to ' is described below, in the de- 
scription of the simulation of the decryption oracle. 

We next describe how the simulator deals with the encryption oracle. It 
computes u'2 = (ui)™, and computes v' = (u})®''‘“ It outputs a random -bit 
string ' and the “target” ciphertext ' = {u[ u'2 v'). Note that the output of 
the encryption oracle is independent of the random bit . 
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Now we describe how the simulator deals with the decryption oracle. The 
algorithm used to process a request to decrypt a ciphertext = (ui ui v) ^ ' 

is shown in Figure 2. 



a ^ UOWH(fc;Mi,M2) 

if U2 ^ u™ or V ^ 
return “reject” 

else if (ui, K) e S' for some K € {0, 1}* 
return K 

else if (mi, A, v ) £ Sddh for some X G G and v £ {0, 1}* 
return © PIH(^;A) 

else { 

K^r { 0 , 1 }' 

S' ^ S'U{{ui,K)} 
return K 

} 



Fig. 2. Simulator’s algorithm to decrypt = (ui U2 v). 



That completes the description of the simulator. It is easy to verify that the 
actual attack and the attack played against this simulator are equivalent, at 
least up to the point where the adversary queries the random oracle at the point 
{u'l '). But up to that point, the hidden bit is independent of the adversary’s 
view. Therefore, since we are assuming the adversary does have a non-negligible 
advantage, the adversary must query the random oracle at the point (u} ') 

with non-negligible probability. 

That completes the proof of Theorem 3. 

Remarks 

Remark 1. The decryption algorithm tests if U2 = u™ and v = u}’ In the 
proof of Theorem 2, we show that we can replace this test with a different test 
that is equivalent from the point of view of the data the adversary sees; however, 
these tests may not be equivalent from the point of view of timing information. In 
particular, if the decryption algorithm returns “reject” immediately after finding 
that U2 uf , this could perhaps leak timing information to the adversary that 
is not available in game Gi in the proof. We therefore recommend that both the 
tests U2 = uf and v = are performed, even if the one of them fails. 

Remark 2. In a typical implementation, the group may be a subgroup of Z* 
for a prime p, perhaps where p is much larger than . In this case, after testing 
if the encodings of ui U2 v properly represent elements of Z*, the decryption 
algorithm must check that u\ = 1, so as to ensure that u\ G . We need not 
make any further tests to check that U2 v G , since this is already implied by 
the tests U2 = uf and v = . 
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Remark 3. The decryption algorithm must compute either three or four expo- 
nentiations, all with respect to the same base ui. An implementation can and 
should exploit this to get a significantly more efficient decryption algorithm by 
using precomputation techniques (see, e.g. [LL94]). 

Remark 4- The reduction given in the proof of Theorem 3 is perhaps not as 
efficient as one would like. If is the time required to solve the DDH problem, 
and queries are made to the random oracle, then the running time of the 
simulator will be essentially that of the adversary plus ( • ) . Also, note that 

the inclusion of ui as an argument to MH is not essential to get a polynomial- 
time security reduction; however, if we dropped ui as an argument to MH, the 
only simulator we know how to construct has a term of ( • ' • ) in its running 

time, where ' is the number of decryption oracle queries. 

Remark 5. In the proof of Theorem 3, we argued that if there is an adversary 
with a non-negligible advantage in the attack game, then there is an efficient 
algorithm for solving the DDH. This perhaps deserves some elaboration. For such 
an adversary , there exists a polynomial ( 7 ) in the security parameter 7 , and 
an infinite set F of choices of the security parameter, such that for all 7 S T, the 
advantage of is at least 1/ ( 7 ) . We are assuming that the group is generated 
by a probabilistic function 5 ( 7 ) that takes the security parameter 7 as input. For 
an algorithm ', a security parameter 7 , and 0 < e < 1, define V{ ' 7 e) be the 
set of outputs of 5 ( 7 ) such that ' computes DHP on with error probability 
at most e. As in the previous remark, let be (an upper bound on) the number 
or random oracle queries made by . Then the existence of , together with 
Theorem 2, implies that there exists an efficient algorithm ' and a polynomial 
'( 7 ), such that for all 7 S T, Pr[^( 7 ) G U( ' 7 1/(2 ))] > 1/ '( 7 ). The 
reduction described in the proof of Theorem 3 only works when 7 G T and 
Gil) G U( '7 1/(2 )), but this is enough to contradict the CDH assumption. 
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Abstract. The use of quantum bits (qubits) in cryptography holds 
the promise of secure cryptographic quantum key distribution schemes. 
Unfortunately, the implemented schemes are often operated in a regime 
which excludes unconditional security. We provide a thorough investiga- 
tion of security issues for practical quantum key distribution, taking into 
account channel losses, a realistic detection process, and modifications 
of the “qubits” sent from the sender to the receiver. We first show that 
even quantum key distribution with perfect qubits might not be achiev- 
able over long distances when fixed channel losses and fixed dark count 
errors are taken into account. Then we show that existing experimen- 
tal schemes (based on weak pulses) currently do not offer unconditional 
security for the reported distances and signal strength. Einally we show 
that parametric downconversion offers enhanced performance compared 
to its weak coherent pulse counterpart. 



1 Introduction 

Quantum information theory suggests the possibility of accomplishing tasks that 
are beyond the capability of classical computer science, such as information- 
theoretically secure cryptographic key distribution [3,5]. The lack of security 
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proofs for standard (secret- and public-) key distribution schemes, and the 
insecurity of the most widely used classical schemes (such as RSA [27]) against 
potential attacks by quantum computers [29], emphasizes the need for provably 
information-theoretically secure key distribution. 

Whereas the security of idealized quantum key distribution (qkd) schemes 
has been reported against very sophisticated collective [8,7] and joint [22,23,6] 
attacks, we show here that already very simple attacks severely disturb the 
security of existing experimental schemes, for the chosen transmission length 
and signal strength. For a different parameter region a positive security proof 
against individual attacks has been given recently [19,20] making use of ideas 
presented here. 

In the four-state scheme introduced in 1984 by Bennett and Brassard [3], 
usually referred to as BB84, the sender (Alice) and the receiver (Bob) use two 
conjugate bases (say, the rectilinear basis, -k, and the diagonal basis, x) for the 
polarization of single photons. In basis -I- they use the two orthogonal basis states 
|0+) and |1+) to represent “0” and “1” respectively. In basis x they use the two 
orthogonal basis states |0x) = (|0+) -k ]1+)) and |lx) = (|0+) — ]!+)) 

to represent “0” and “1”. The basis is revealed later on via an authenticated 
classical channel that offers no protection against eavesdropping. The signals 
where Bob used the same basis as Alice form the sifted key on which Bob can 
decode the bit value. In absence of disturbance by an eavesdropper (Eve) and 
errors of various kinds, the sifted key should be identical between Alice and Bob. 
The remaining signals are ignored in the protocol and in this security analysis. 
Finally, Alice and Bob test a few bits to estimate the error rate, and if it is less 
than some threshold, they use error correction and privacy amplification [2,4] to 
obtain a secure final key [6,23]. 

In order to be practical and secure, a quantum key distribution scheme must 
be based on existing — or nearly existing — technology, but its security must be 
guaranteed against an eavesdropper with unlimited computing power whose 
technology is limited only by the rules of quantum mechanics. The experiments 
that have been performed so far are usually based on weak coherent pulses 
(wcp) as signal states with a low probability of containing more than one pho- 
ton [2,13,30,11,25]. Initial security analysis of such weak-pulse schemes were 
done [2,15], and evidence of some potentially severe security problems (which do 
not exist for the idealized schemes) have been shown [15,32]. 

Using a conservative definition of security, we investigate such limitations 
much further to show insecurity of various existing setups, and to provide sev- 
eral explicit limits on experimental QKD. First, we show that secure QKD to 
arbitrary distance can be totally impossible for given losses and detector dark 
counts, even with the assumption of a perfect source. Second we show that QKD 
can be totally insecure even with perfect detection, if considering losses and 
multi-photon states. In a combination we compute a maximal distance beyond 
which (for any given source and detection units) secure QKD schemes cannot be 
implemented. Finally we prove the advantage of a better source which makes 
use of parametric downconversion (pdc). 
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2 Losses and Dark Counts 



The effect of losses is that single-photon signals will arrive only with a probability 
at Bob’s site where they will lead to a detection in Bob’s detectors with a 
probability ?7 b (detection efficiency). This leads to an expected probability of 
detected signals given by = ?7 b- For optical fibres, as used for most 

current experiments, the transmission efficiency is connected to the absorption 
coefficient of the fibre, the length of the fibre and a distance-independent 
constant loss in optical components , via the relation 



= 10 " 



( 1 ) 



which, for given and , gives a one-to-one relation between distance and trans- 
mission efficiency. Quantum key distribution can also be achieved through free 
space [2,11], in which case the problem of lossy fibres is replaced by the problem 
of beam broadening. Each of Bob’s detectors is also characterized by a dark 
count probability b per time slot in the absence of the real signal, so that for a 
typical detection apparatus with two detectors the total dark count probability 
is given by « 2 b- The dark counts are due to thermal fiuctuations in the 
detector, stray counts, etc. Throughout the paper we assume conservatively that 
Eve has control on channel losses and on ?7 b, that all errors are controlled by 
Eve (including dark counts), and that Bob’s detection apparatus cannot resolve 
the photon number of arriving signals. Without these assumptions, one gets a 
relaxed security condition, which, however, is difficult to analyse and to justify. 

The total expected probability of detection events is given by 
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exp — exp 
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exp 
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— exp 
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(2) 



There are two differently contributing error mechanisms. The signal contributes 
an error with some probability due to misalignment or polarization diffusion. 
On the other hand, a dark count contributes with probability approximately 
1 2 to the error rate. As the transmission efficiency becomes smaller and 
smaller when the distance is increased, the errors due to dark counts become 
dominant. Therefore, considering the relevant limit where we can neglect the 
coincidence probability between a signal photon and a dark count, or between 
dark counts in both detectors, we have for the error rate (per sent signal) the 
approximate lower bound 



V 1_ dark 
— 2 exp 



(3) 



where “ ^ ” means that is approximately greater than or equal to , when 
second-order terms are neglected. The contribution to the error rate per sifted 
key bit is then given by e = exp- 

If the error rate per sifted key bit e exceeds 1 4, there is no way to create 
a secure key. With such an allowed error rate, a simple intercept/resend attack 
(in which Eve measures in one of the two bases and resends according to her 
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identification of the state) causes Bob and Eve to share (approximately) half of 
Alice’s bits and to know nothing about the other half; hence, Bob does not pos- 
sess information which is unavailable to Eve, and no secret key can be distilled. 
Using e = exp and e 5, we obtain a necessary condition for secure QKD 



and using (2,3), we finally obtain I’®"®'' ^ 

For ideal single-photon states we therefore obtain (with = tjb and 

dark ~ 2 b) the bound ?7b ^ 2 b- We see that even for ideal single-photon 
sources (SP), the existence of a dark count rate leads to a minimum transmission 
efficiency 



SP « 2 B Vb (5) 

below which QKD cannot be securely implemented. Even for perfect detection 
efficiency {rjB = 1) we get a bound SP ~ 2 b- These bounds correspond, 

according to (1), to a maximal covered distance, which mainly depends on . 



3 Losses and Imperfect Sources 

In a quantum optical implementation, single-photon states would be ideally 
suited for quantum key distribution. However, such states have not yet been 
practically implemented for QKD, although proposals exist and experiments have 
been performed to generate them for other purposes. The signals produced in 
the experiments usually contain zero, one, two, etc., photons in the same polar- 
ization (with probabilities o> i, 2 , etc., respectively). The multi-photon part 
of the signals, multi = X)i >2 leads to a severe security gap, as has been antici- 
pated earlier [2,15,32]. Let us present the photon number splitting (PNS) attack, 
which is a modification of an attack suggested in [15] (the attack of [15] was 
disputed in [32] so the modification is necessary): Eve deterministically splits 
one photon off each multi-photon signal. To do so, she projects the state onto 
subspaces characterized by , which is the total photon number, which can be 
measured via a quantum nondemolition (QND) measurement. The projection 
into these subspaces does not modify the polarization of the photons. Then she 
performs a polarization-preserving splitting operation, for example by an interac- 
tion described by a Jaynes-Cummings Hamiltonian [26,16] or an active arrange- 
ment of beamsplitters combined with further QND measurements. She keeps 
one photon and sends the other ( — 1) photons to Bob. When receiving the 
data regarding the basis. Eve measures her photon and obtains full information. 
Each signal containing more than one photon in this way will yield its complete 
information to an eavesdropper. 

The situation becomes worse in the presence of loss, in which case the eaves- 
dropper can replace the lossy channel by a perfect quantum channel and forward 
to Bob only chosen signals. This suppression is controlled such that Bob will find 
precisely the number of non empty signals as expected given the characterization 
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of the lossy channel. If there is a strong contribution by multi-photon signals, 
then Eve can use only those signals and suppress the single-photon signals com- 
pletely, to obtain full information on the transmitted bits. For an error-free setup, 
this argument leads to the necessary condition for security, 

exp multi (6) 

where now the signal contribution is given by 

"xr‘ = E )T (7) 

i 

If this condition is violated, Eve gets full information without inducing any er- 
rors nor causing a change in the expected detection rate. For given probabilities 
i and transmission rate , a bound on the distance is obtained, even for per- 
fect detection. The limitation on practical QKD as shown in (6) was reported 
independently in [10,18] after having been anticipated in [15]. 

Whereas this work concentrates mainly on insecurity results, we make here 
also an important observation, which is useful for positive security proofs. For a 
general source (emitting into the four BB84 polarization modes) analysing all 
possible attacks in a large Hilbert space (the Fock space) is a very difficult task. 
However, if Alice can dephase the states to create a mixture of “number states” 
(in the chosen BB84 polarization state) the transmitted signals are replaced by 
mixed states. Then, these states do not change at all when Eve performs a QND 
measurement on the total photon number as part of a PNS attack! Therefore 
Eve can be assumed to perform the QND part of the PNS attack without loss 
of generality. In that case, it is much easier to check that the PNS attack is ac- 
tually optimal since we start with an eavesdropper who knows the total photon 
number of each signal. Fortunately, in realistic scenarios the dephasing hap- 
pens automatically since the eavesdropper has no reference phase to the signal. 
Therefore, the signal states appear to be phase-averaged (“dephased”) signals 
from her perspective. In some experiments, a phase reference exists initially [25] , 
but could be destroyed by Alice adding random optical phase shifts to her weak 
signals. Following this observation, a complete positive security proof against all 
individual particle attacks has been subsequently given [19,20]. More sophisti- 
cated collective and joint attacks can also potentially be restricted to the PNS 
attacks. 



4 Putting It All Together 

Let us return to the necessary condition for security. We can combine the idea 
of the two criteria (4, 6) above to a single, stronger one, given by 

4 ( exp multi) (8) 

This criterion stems from the scenario that Eve splits all multi-photon signals 
while she eavesdrops on some of the single-photon signals — precisely on a pro- 
portion ( exp — multi) 1 of them — via the intercept/resend attack presented 
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before, and suppresses all other single photon signals. We can think of the key 
as consisting of two parts: an error-free part stemming from multi-photon sig- 
nals, and a part with errors coming from single-photon signals. The error rate in 
the second part has therefore to obey the same inequality as used in criterion (4) . 

We now explore the consequences of the necessary condition for security for 
two practical signal sources. These are the weak coherent pulses and the signals 
generated by parametric downconversion. 



5 Weak Coherent Pulse Implementations 

In QKD experiments, the signal states are, typically, weak coherent pulses (wcp) 
containing, on average, much less than one photon. The information is contained 
in polarization mode of the wCP. 

Coherent states 



I )= " ^1 ) (9) 

n 

with amplitude (chosen to be real) give a photon number distribution (per 
pulse [9]) 

! (10) 

Since we analyse PNS attacks only, it doesn’t matter if the realistic “coherent 
state” is a mixture of number states. Thus, 



:'xr‘ = E ")" ! (11) 

n—l 

and 

OO 

multi = E ■“' ( T ! (12) 

n^2 

With exp < Ixp + 2 B and the error rate ^ b in (8) we find for ^ <C 1 

(by expanding to 4th order in and neglecting the term proportional to ^) 

the result 



m 2 ?7b 

The optimal choice ^ leads to the bound 

WCP ~ riB 



(13) 



(14) 



To illustrate this example we insert numbers ? 7 b = 0 11 and b = 5 x 10 ® taken 
from the experiment performed at 1 3^ by Maraud and Townsend [21]. Then 
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the criterion gives ^ 0 041. With a constant loss of 5 dB and a fibre loss 
at 0 38 dB/km, this is equivalent, according to (1), to a maximum distance of 
24 km at an average (much lower than standard) photon number of 4 5 x 10“^. 
As we used approximations to reach (14), the achievable distance could differ 
slightly from this value either way. 

With ^ = 0 1, as in the literature, secure transmission to any distance is 
impossible, according to our conditions. In that case, even if we assume ?7 b to be 
out of control of the eavesdropper, we find that secure transmission to a distance 
of more than 21 km is impossible. Frequently we find even higher average photon 
numbers in the literature, although Townsend has demonstrated the feasibility 
of QKD with intensities as low as ^ = 3 x 10“® at a wavelength of 0 8^ [30]. 

6 Parametric Downconversion Implementations 

The WCP scheme seems to be prone to difficulties due to the high probability of 
signals carrying no photons (the vacuum contribution) . This can be overcome in 
part by the use of a parametric downconversion (pdc) scheme, which serves to 
approximate single-photon states. Parametric downconversion has been used be- 
fore for QKD [12,28]. We use a different formulation, which enables us to analyse 
the advantages and limits of the pdc method relative to the wCP approach. 

To a good approximation, pdc produces pairs of photons. Although each 
pair creation occurs at a random time, the two photons in the pair are created 
simultaneously, and they are correlated in energy, direction of propagation and 
polarization. Thus, detection of one photon provides information about the ex- 
istence and properties of the partner photon without any destructive probing of 
the partner photon itself [14]. More technically, we create the state in an output 
mode described by photon creation operator 1 conditioned on the detection of 
a photon in another mode described by 1. If we neglect dispersion, then the 
output of the PDC process is described [31] on the two modes with creation 



operators ^ and ^ 


using the operator 








(15) 


with <C 1, as 






I'^ah) 


= ab{ )|0 0 ) 






« ( l -2 " + i ")|0 0 )+( -1 ")|1 1 ) 






+ (^~l '‘)|2 2)-k 3|3 3)-k ^[4 4 ) 


(16) 



This state is a superposition of two-mode number states where | ) corre- 

sponds to a flux of photons in each mode. Whereas the earlier discussion on 
the WCP concerns distinct pulses, and the number state corresponds to a specific 
number of photons in the pulse (i.e. localized in time), the continuous output 
of the PDC is better represented in terms of photon flux states [9]. On the other 
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hand, we can interpret these number states for pdc as localized number states, 
to compare with the WCP case, by assuming the presence of choppers in each of 
the modes. A chopper periodically blocks the mode, thus converting a continuous 
output into a periodic sequence of pulses. By placing synchronized choppers in 
each mode, the continuous output becomes a sequence of pulses and the photon 
flux state can be regarded as a photon number state (per pulse) . 

If we had an ideal detector resolving photon numbers (that is, a perfect 
counter) then we could create a perfect single-photon state by using the state 
in mode conditioned on the detection of precisely one photon in the pulse in 
mode . However, realistic detectors useful for this task have a single-photon 
detection efficiency far from unity and can resolve the photon number only at 
high cost, if at all. Therefore, we assume a detection model which is described 
by a finite detection efficiency rjA and gives only two possible outcomes: either 
it is not triggered or it is triggered, thereby showing that at least one photon 
was present. The detector may experience a dark count rate at a per time slot. 
The two POVM elements describing this kind of detector can be approximated 
for our purpose by 

OO 

o = (l- A)|0)(0| + ^(l-r;A)"| )( I (17) 

n—1 

and 

OO 

^|0)(0| + ^(l-(l-r;A)")| )( I (18) 

n—1 



The reduced density matrix for the output signal in mode conditioned on a 
click of the detector monitoring mode is then given by 



P — [l^a fc) (^a fc| click] 



1 

N L 



1 - 



2 4 

3 



PA 



)| 0 )( 0 | 

= (l-| ^)|l)(l| + r;A(2-r;A) 12)(2| 



(19) 



with the normalization constant N. To create the four signal states we rotate 
the polarization of the signal, for example using a beam-splitter and a phase 
shifter. Note that a mixture of Fock states is created by the detection process, 
so that the PNS attack is optimal for Eve. 

After some calculation following the corresponding calculation in the wCP 
case, the necessary condition for security (8) takes for the signal state (19) the 
form 



2a b _|_2b_|_2 — ?7a 2 
PA Pb ^ Pb Pb 



(20) 



since we assume b ^ 1 and ^ <C 1 and neglect terms going as b A, and 
^ B- The first error term is due to coincidence of dark counts, the second error 
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term is due to coincidence of a photon loss and a dark count at Bob’s site; the 
third term is the effect of multi photon signal (signals that leak full information 
to the eavesdropper). As in the WCP case, the optimal choice of 



2 



?7a(2 - ?7a) 



(21) 



leads to the necessary condition for security 



PDC 



12 a b (2 — tja) 



VA Vb 



2 B 

m 



(22) 



If we now assume that Alice and Bob use the same detectors as in the wCP case 
with the numbers provided by [21], we obtain pdc ^ 8 4 x 10“^ corresponding 
via (1) to a distance of 68 km. 

Since we can use downconversion setups which give photon pairs with differ- 
ent wavelength, we can use sources so that one photon has the right wavelength 
for transmission over long distances, e.g. 1.3 /rm, while the other photon has a 
frequency which makes it easier to use efficient detectors [12]. In the limit of 
Alice using perfect detectors (but not perfect counters), ?7 a = 1 and a = 0, we 
obtain 



PDC ~ 2 B ?7b (23) 

as for single-photon sources, yielding a maximal distance of 93 km. This optimal 
distance might also be achievable using new single-photon sources of the type 
suggested in [17]. 

7 Conclusions 

We have shown a necessary condition for secure QKD which uses current exper- 
imental implementations. We find that secure QKD might be achieved with the 
present experiments using wCP if one would use appropriate parameters for the 
expected photon number, which are considerably lower than those used today. 
With current parameters, it seems that all current wCP experiments cannot be 
proven secure. The distance that can be covered by QKD is mainly limited by 
the fibre loss, but, with ^ 0 1, wCP schemes might be totally insecure even 

to zero distance (in several of the existing experiments), due to imperfect detec- 
tion. The distance can be increased by the use of parametric downconversion as 
a signal source, but even in this case the fundamental limitation of the range 
persists, and a radical reduction of or of the dark counts is required in order 
to increase the distance to thousands of kilometers. 

The proposed “4-1-2” scheme [15], in which a strong reference pulse (as in [1]) 
from Alice is used in a modified detection process by Bob, might not suffer from 
the sensitivities discussed here, but the security analysis would have to follow 
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different lines. The use of quantum repeaters [24] (based on quantum error- 
correction or entanglement purification) or of a string of teleportation stations 
in the far future can yield secure transmission to any distance, and the security 
is not altered even if the repeaters or stations are controlled by Eve. 
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Abstract. We show that although unconditionally secure quantum bit 
commitment is impossible, it can be based upon any family of quantum 
one-way permutations. The resulting scheme is unconditionally conceal- 
ing and computationally binding. Unlike the classical reduction of Naor, 
Ostrovski, Ventkatesen and Young, our protocol is non-interactive and 
has communication complexity 0{n) qubits for n a security parameter. 



1 Introduction 

The non-classical behaviour of quantum information provides the ability to ex- 
pand an initially short and secret random secret-key shared between a pair of 
trusted parties into a much longer one without compromising its security. The 
BB84 scheme was the first proposed quantum secret-key expansion protocol [3] 
and was shown secure by Mayers [12,14]. Secret-key expansion being incom- 
patible with classical information theory indicates that quantum cryptography 
is more powerful than its classical counterpart. However, quantum information 
has also fundamental limits when cryptography between two potentially col- 
laborative but untrusted parties is considered. Mayers [13] has proven that any 
quantum bit commitment scheme can either be defeated by the committer or the 
receiver as long as both sides have unrestricted quantum computational power. 
Mayers’ general result was built upon previous works of Mayers [11] and Lo and 
Chau [9]. 

However, the no-go theorem does not imply that quantum cryptography in 
the two-party case is equivalent to complexity-based classical cryptography. For 
example, quantum bit commitment schemes can be built from physical assump- 
tions that are independent of the existence of one-way functions [16]. Moreover, 
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bit commitment is sufficient for quantum oblivious transfer [4,19] which would 
be true in the classical world only if one-way functions imply trapdoor one-way 
functions [8]. The physical assumption addressed in [16] restricts the size of the 
entanglement the adversary’s quantum computer can deal with. Implementing 
any successful attack was shown, for a particular protocol with security param- 
eter n, to require a f?(n)-qubits quantum computer. However, such a physical 
assumption says nothing about the complexity of the attack. In this paper, we 
construct an unconditionally concealing quantum bit commitment scheme which 
can be attacked successfully only if the adversary can break a general quantum 
computational assumption. 

We show that similarly to the classical case [15], unconditionally concealing 
quantum bit commitment scheme can be based upon any family of quantum 
one-way permutations. This result is not the direct consequence of the classi- 
cal construction proposed by Noar, Ostrovsky, Ventkatesen and Young (NOVY) 
[15]. One reason is that NOVY’s analysis uses classical derandomization tech- 
niques (rewinding) in order to reduce the existence of an inverter to a successful 
adversary against the binding condition. In [18], it is shown that such a proof 
fails completely in a quantum setting: if rewinding was possible then no quantum 
one-way permutation would exist. Therefore, in order to show that NOVY’s pro- 
tocol is conditionally binding against the quantum computer, one has to provide 
a different proof. 

We present a different construction using quantum communication in order 
to enforce the binding property. In addition, whereas one NOVY’s commitment 
requires f2{n) rounds (in fact n — 1 rounds) of communication for some secu- 
rity parameter n, our scheme is non-interactive. Whether or not this is possible 
to achieve classically is still an open question. In addition, the total amount of 
communication of our scheme is 0(n) qubits which also improves the 17 (n^) bits 
needed in NOVY’s protocol, as far as qubits and bits may be compared. Since 
unconditionally concealing bit commitment is necessary and sufficient for Zero- 
Knowledge arguments [5] , using our scheme gives implementations requiring few 
rounds of interaction with provable security based upon general computational 
assumptions. Perfectly concealing commitment schemes are required for the secu- 
rity of several applications (as in [5]). Using them typically forces the adversary 
to break the computational assumption before the end of the opening phase, 
whereas if the scheme was computationally concealing the dishonest receiver 
could carry out the attack as long as the secret bit remains relevant. Any secure 
application using NOVY as a sub-protocol can be replaced by one using our 
scheme instead thus improving communication complexity while preserving the 
security. 

This work provides motivations for the study of one-way functions in a quan- 
tum setting. Quantum one-way functions and classical one-way functions are not 
easily comparable [6]. On the one hand, Shor’s algorithm [17] for factoring and 
extracting discrete logs rules out any attempt to base quantum one-wayness upon 
those computational assumptions. This means that several flexible yet useful 
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classical one-way functions cannot be used for computationally based quantum 
cryptography. 

On the other hand, because the quantum computer evaluates some functions 
more efficiently than the classical one, some quantum one-way functions might 
not be classical one-way since classical computers could even not be able to com- 
pute them in the forward direction. This suggests that quantum cryptography 
can provide new foundations for computationally based security in cryptography. 



Organization. First, we give some preliminaries and definitions in Sect. 2. 
Therein, we define the model of computation, quantum one-way functions, and 
the security criteria for the binding condition. In Sect. 3, we describe our per- 
fectly concealing but computationally binding bit commitment scheme. In Sect. 
4, we show that our scheme is indeed unconditionally concealing. Then we model 
the attacks against the binding condition in Sec. 5. Section 6 reduces the exis- 
tence of a perfect inverter for a family of one-way permutations to any perfect 
adversary against the binding condition of our scheme. In Sect. 7, we extend 
the reduction by showing that any efficient adversary to the binding condition 
implies an inverter for the family of one-way permutations working efficiently 
and having good probability of success. 

2 Preliminaries 

After having introduced the basic quantum ingredients, we define quantum one- 
way functions and the attacks against the binding condition of computationally 
binding quantum commitment schemes. We assume the reader familiar with the 
basics of quantum cryptography and computation. 

2.1 Quantum Encoding 

In the following, we denote the -dimensional Hilbert space by Tim- The basis 
{|0) |1)} denotes the computational or rectilinear or “-I-” basis for 7^2- When the 
context requires, we write | )+ to denote the bit in the rectilinear basis. The 
diagonal basis, denoted “x”, is defined as {|0)x |l)x} where |0)x = :^(|0) + 
|1)) and |l)x = :^(|0) ~ |1))- The states |0) |1) |0)x and |l)x are the four 
BB84 states. For any G {0 1}” and 9 G {+ x}”, the state | )e is defined as 
®r=il i)0i- An orthogonal (or Von Neumann) measurement of a quantum state 
in Hm is described by a set of orthogonal projections M = acting 

in Hm thus satisfying for denoting the identity operator in 

Hm- Each projection or equivalently each index G {1 } is a possible 

classical outcome for M. In the following, we write = |0)(0|, P)|_ = |1)(1|, 
Px = |0)x(0| and P(< = |l)x(l| for the projections along the four BB84 states. 
We also define for any G {0 1}" the projection operators P((_„ = 
and Px„ = ®(FiPxb Since the basis -k" in 7^2" is the computational basis, 
we also write P^ = P((.n . In order to simplify the notation, in the following we 
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write 0(0) = + and 0(1) = x. For any w S {0 1}, we denote by the 

Von Neumann measurement {Pe(„)n}ye{o,i}"- We denote by M„ for n G N, the 
Von Neumann measurement in the computational basis applied on an n-qubit 
register. 

Finally, in order to indicate that | ) G 7i2’- is the state of a quantum register 
~ 7f2>- we write | )^. If e — Ti.2^ and s — are two quantum 
registers and | ) = Z)a;g{o,i}'- Sye{o,i}« I ) ® I ) ^ ^ 2 >- <8> H2- then we write 
I = Z)xe{o,i}'- X)ye{o,i}« to denote the state of both registers 

E and s- Given any transformation Ue that acts on a register e and any 
state I ) G _R 0 Others, where others corresponds to other registers, we 

define Ue \ } (UE^^^others) \ )• We use the same notation when Ue denotes 
a projection operator. 

2.2 Model of Computation and Quantum One-Wayness 

Quantum one-way functions are defined as the natural generalization of classical 
one-way functions. Informally, a quantum one-way function is a classical function 
that can be evaluated efficiently by a quantum algorithm but cannot be inverted 
efficiently and with good probability of success by any quantum algorithm. An 
algorithm for inverting a one-way function is called an inverter. In this paper, 
we model inverters (and adversaries against the binding condition) by quantum 
circuits built out of the universal set of quantum g&iesUQ = {CNot H Rq}, where 
CNot denotes the controlled-NOT, H the one qubit Hadamard gate, and Rq is an 
arbitrary one qubit non-trivial rotation specified by a matrix containing only 
rational numbers [1]. A circuit C executed in the reverse direction is denoted Cb 
The composition of two circuits Ci, C 2 is denoted Ci -C 2 . If the initial state before 
the execution of a circuit C is | ), the final state after the execution is C| ). To 
compute a deterministic function : {0 1}” — > {0 I}'"!"), we need a circuit 
Cn on (n) qubits and we must specify n < (n) input qubits and (n) < (n) 
output qubits. The classical input is encoded in the state | ) of the n input 
qubits. The other qubits, i.e. the non input qubits, are always initialized in the 
fixed state |0). The random classical output of the circuit C„ on input G {0 1}” 
is defined as the classical outcome of M„(„) on the (n) output qubits at the 
end of the circuit. A family C = is an exact family of quantum circuits 

for the family of deterministic functions = { „ : {0 1}” ^ {0 if 

the the classical output of the circuit C„ on input | ) 0 |0) G 'H 2 Kr) produces 
with certainty „( ) as output. This definition can be generalized the obvious 
way in order to cover the non exact case and families of random functions. 

The complexity of the circuit is simply the number ||C„||;^g of elementary 
gates inUQ contained in C„. Finally, the family C is uniform if, given 1” as input, 
there exists a (quantum) Turing machine that produces C„ G C in (quantum) 
polynomial time in n. The family C is non-uniform otherwise. Our results hold 
for both the uniform and the non-uniform cases. The following definition is 
largely inspired by Luby’s definitions for classical one-way functions [10]. Let x„ 
be a uniformly distributed random variable over {0 1}”. 
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Definition 1 A family of deterministic functions = { „ : {0 1}” ^ 

{0 > 0} is i?(n)-secure quantum one-way if 

— there exists an exact family of quantum circuits C = {C„}„>o for such 
that for all n > 0, ||C„|| < o (n) and 

— for all family of quantum circuits = {C“^}„>o and for all n suffi- 

ciently large, it is always the case that \\Cf S{n) > R{n) where S{n) = 
Pr ( n(C„^( „(x„))) = „(x„)). 

Each family of quantum circuits is called an inverter and the mapping S{n) 
is called its probability of success. 

Note that whenever n is a permutation, S{n) can be written as S{n) = 
Pr ( „(C“^(y„)) = y„) where y„ is a uniformly distributed random variable in 
{0 1 }". 

2.3 The Binding Condition 

In a non interactive bit commitment scheme, an honest committer A for bit w 
starts with a system ah = Keep® Open ® Commit in the initial state |0), 
executes a quantum circuit Cn,w on |0) returning the final state \^w) G Au 
and finally sends the subsystem Commit to in the reduced state b{w) = 
Tryi(|tf'„)(tf'„|), where ^’s Hilbert space is ^ = Keep ® Open- Once the 
system commii is sent away to , H has only access to a(w) = TrB(|tf'„)(tf'TO|), 
where ’s Hilbert space is b = Commit- To open the commitment, A needs 
only to send the system open together with w. The receiver then tests the 
value of w by measuring the system Open ® Commit with some measurement 
that is fixed by the protocol in view of w. He obtains the outcome w = 0, w = 1, 
or w =_L when the value of w is rejected. 

An attack of the committer A must start with the state | 0 ) of some system 
All = Extra ® A O Commit- A quantum circuit C" that acts on ah is 
executed to obtain a state \E) and the subsystem Commit is sent to the receiver. 
Later, any quantum circuit O” which acts on Extra ® Keep ® Open can be 
executed before sending the subsystem Open to the verifier. The important 
quantum circuits which act on Extra® Keep® Open are the quantum circuits 
O™. w = 0 1, which respectively maximize the probability that the bit w = 0 
and w = 1 is unveiled with success. Therefore, any attack can be modeled by 
triplets of quantum circuits {(C” Oq 0”)}„>o. 

The efficiency of an adversary is determined by 1) the total number of ele- 
mentary gates (n) = ||C”||;^g -I- ||OQ||;^g -f ||0”||;^g in the three circuits C”, 
Oq and O” and 2) the probabilities Sw{n), w = 0 1, that he succeeds to unveil 
w using the associated optimal circuit O”. The definition of Sw{n) explicitly re- 
quires that the value of w, which the adversary tries to open, is chosen not only 
before the execution of the measurement on Open ® Commit by the receiver 
but also before the execution of the circuit O” by the adversary. 

In the classical world, one can always fix the adversary’s committed bit by 
fixing the content of his random tape, that is, we can require that either the 
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probability to unveil 0 or the probability to unveil 1 vanishes, for every fixed value 
of the random tape. This way of defining the security of a bit commitment scheme 
does not apply in the quantum world because, even if we fix the random tape, 
the adversary could still introduce randomness in the quantum computation. In 
particular, a quantum committer can always commit to a superposition of w = 0 
and w = 1 by preparing the following state 

o)) = v^|OA)0|tf'o) + \/l- o|U)0|>fi) (1) 

where jtf'o) and jtf'i) are the honest states generated for committing to 0 and 
1 respectively and | 0 ^) and jl^i) are two orthogonal states of Extra, an extra 
ancilla kept by A. In this case, for both value of w G {0 1}, the opening circuit 
can put Open into a mixture that will unveil w successfully with some 
non zero probability. So we have S'o(n) S'i(n) > 0. The fact that the binding 
condition So{n) = 0 V S'i(n) = 0 is too strong was previously noticed in [13]. We 
propose the weaker condition So{n) + Si{n) — 1 < e(n) where e(n) is negligible 
(i.e. smaller than 1 o (n) for any polynomial (n)). For classical applications, 
this binding condition (with e(n) = 0) is as good as if the commiter was forced 
to honestly commit a random bit (with the bias of his choice) and only had 
the power to abort in view of the bit. The power of this binding condition for 
quantum applications is unclear, but we think it is a useful condition even in 
that context. 

We now extend this binding condition to a computational setting. It is 
convenient to restrict ourselves to the cases where Oq is the identity circuit. 
We can adopt this restriction without lost of generality because any triplet 
(C” Oq O”) can easily be replaced by the three quantum circuits (Cq 1 Uq ^), 
where Cq = (Oq (g) 1-Commit) ■ C” and Uq = O” • (Oq)1, without chang- 
ing the adversaries strategy. The difference in complexity between applying 
(C” Oq O”) and (Cq 1 Uq ^) is only (n) = ||OQ||;^g. Therefore, the ad- 
versary is completely determined by the pair (Cq Uq where Cq acts on all 
registers in , and Uq is restricted to act only in Extra 0 Keep0 Open- 

Definition 2 An adversary A = {(Cq Uq for the binding condition of a 
quantum bit commitment scheme is (S{n) (n)) -successful if for all n G N, 

l|U(( iWuG + liCQ||t/g < (n) and So{n) -I- Si{n) — 1 = S{n). An adversary with 

S{n) = 1 is called a perfect adversary. 

Any (0 (n))-successful adversary does not achieve more than what an honest 
committer is able to do. In order to cheat, an adversary must be (S{n) (n))- 

successful for some non-negligible S(n) > 0. The security of a quantum bit 
commitment scheme is defined as follow: 

Definition 3 A quantum bit commitment scheme is i?(n) -binding if there exists 
no (S{n) (n) -successful quantum adversary against the binding condition that 

satisfies (n) S{n) < R{n). A quantum bit commitment scheme is perfectly 
concealing (statistically concealing) if the systems received for the commitments 
o/O and 1 are identical (resp. statistically indistinguishable). 
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It is easy to verify that if a i?(n)-binding classical bit commitment scheme (satis- 
fying the classical definition) allows to implement a cryptographic task securely, 
then using a i?(n)-binding quantum bit commitment scheme instead would also 
provide a secure implementation. 

The scheme we describe next will be shown to be perfectly concealing and 
I7(i?(n))-binding whenever used with a i?(n)^-secure family of one-way permu- 
tations. 



3 The Scheme 

Let S = { „ : {0 1}” — > {0 l}”|n > 0} be a family of one-way permutations. 
The commitment scheme takes, as common input, a security parameter n G N 
and the description of family S. The quantum part of the protocol below is 
similar to the protocol for quantum coin tossing described in [3] . Given E and n, 
the players determine the instance „ : {0 1}” ^ {0 1}” G S. A sends through 
the quantum channel „( ) for Gfl {0 1}” polarized in basis 9{w)"‘ where 
w G {0 1} is the committed bit. then stores the received quantum state until 
the opening phase. It is implicit here that must protect the received system 



commit s,n{'w) 

1. A picks X Gr {0, 1}", computes y — (Tn(x) for cr„ G E, 

2. A sends the quantum state \on{x)) e(w)'^ G Hcommit to B. 



Commit — ’^ 2 " against decoherence until the opening phase. The opening phase 
consists only for A to unveil all her previous random choices allowing to 
verify the consistency of the announcement by measuring the received state. So, 
Open — ^2" is Only used to store classical information. 



openi;,„(w,a;) 

1. A announces w and x to B, 

2. B measures pB with measurement Mg(u,)n thus providing the classical outcome 

y G {0, 1}", 

3. B accepts if and only if y — an(x). 
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4 The Concealing Condition 

In this section, we show that every execution of commiti;_„ conceals w perfectly. 

Let u, for w C {0 1} be the density matrix corresponding to the mixture 
sent by A when classical bit w is committed. Since „ is a permutation of the 
elements in the set {0 1}”, we get 

0= ^ 2-"| )+„( |=2-"l2«= ^ 2-"|)x«(|=i (2) 

a:e{0,l}" a:e{0,l}" 

where I 2 " is the identity operator in 7^2". The following lemma follows directly 
from (2). 

Lemma 1. Protocol commiti;_„(w) is perfectly concealing. 

Proof: The quantum states 0 and 1 are the same. It follows that no quantum 
measurement can distinguish between the commitments of 0 and 1. □ 



5 The Most General Attack 

Here we describe the most general adversary A = {(Cq Uo_i)}n>no against the 
binding condition of our scheme. We shall prove that any such attack can be 
used to invert the one-way permutation in subsequent sections. 

The adversary doesn’t necessarily know which value will take on the re- 
ceiver’s side after the measurement on Commit associated with the 

opening of w. He computes G {0 1}” using O”, announces ( w) and hopes 
that n( ) = . So we have that open — ^ 2 " is used to encode G {0 1}”. 
We separate the entire system in three parts: the system Commit that encodes 
, the system Open that encodes , and the remainder of the system that we 
conveniently denote all together by Keep (thus including for simplicity register 
Extra)- We easily obtain that the states |<^”) = C” |0), w = 0 1, can be written 
in the form 

with Ex.y lll7o’^)f = 1, and 

a:,y6{0,l}" 

with y |||7i’^)lP = t- ta the following, we shall refer to states \^q) and |<^”) 
as the 0-state and the 1-state of the attack respectively. The transformation Uq ^ 
is applied on the system Keep ® Open- 

Next section restricts the analysis to the case where an adversary A can open 
both w = 0 and w = 1 with probability of success ^ = 1- Such an adversary 
is called a perfect adversary. We show that any perfect adversary can invert 



I ^Commit ^ (3) 

)^“* = (4) 
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efficiently „( ) for any G {0 1}”. In Sect. 7 we generalize the result to all 
imperfect but otherwise good adversaries. We show that any polynomial time 
adversary for which o + i > 1 + poil(n) invert „()for €^{0 1}” 
efficiently and with non-negligible probability of success. 

6 Perfect Attacks 

In this section, we prove that any efficient perfect adversary A = {(Cq Uq ^)}„ 
against the binding condition can be used to invert efficiently the one-way per- 
mutation with probability of success 1. In the next section, we shall use a similar 
technique for the case where the attack is not perfect. 

By definition, a perfect adversary A is (1 (n))-successful, that is: So{n) = 
Si{n) = 1. We obtain that |||7iii’^)|| = 0 if n( ) ^ ■ 



E l^o)^ 

a:e{0,l}" 



\C ommit 



= Q|0) 



where | 7 q) corresponds to and 



= E It'- 

a:G{0,l}" 



,x\^Keep ^ 



= 1, and 



/ \\Commit TT"^ 

n J/x^ — , 



where | 7 f) corresponds to and II l^i )ll^ ~ 0-state 

and 1-state satisfying (5) and (6) is called a perfect pair. Any perfect adversary 
A = {(Cq Uq ^)}„ generates a perfect pair for all n > 0. 

Let ^Commit ^Commit the projection operators and re- 
spectively, acting upon register Commit- We assume that we have an input 
register y ~ 7^2" initialized in the basis state | ) on input . The states 
I q(u)} = TPcommit l^c()> ^ S (0 1}”, play an essential role in the mechanisms 
used by the inverter. These states have three key properties for every u € {0 1}”: 

1. Ill ^(u))||=2-"/2, 

2. there exists a simple circuit W„ on y ® open X Commit which, if u is 
encoded in register y, unitarily maps into 2”/^ | q(u)), and 

3. U((_i| (((u)) = I X |u)x°™™‘- 

On input G (0 1}”, the inverter creates the state then applies the circuit 
W„, then the circuit Uq]^, and finally measures the register Open to obtain 
). We now prove these three properties. 



6.1 Proof of Properties 1 and 3 

First we write the state using the basis x” for the register Commit — ’^2" 
We get 

|iZ/q") = 2-"/2 ^ (-1)“®’'|7q"'^’'E“^ 0 I |u)x°'"™‘ 
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from which we easily obtain, after the change of variable „ ^ (i") ^ , 

|^(u))=2-"/2 I (7) 

a:e{0,l}" 



Property 1 follows from (7). Note that the states | q(u)} can be mapped one 
into the other by a unitary mapping, a conditional phase shift which depends 
on u and . Because (6) can be rewritten as 

«e{o,i}" 



it follows that, for all u € {0 1}”, we have 



U 



n 



0,1 



o(^^)) 



= I’^r) = 



which concludes the proof of property 3. 



6.2 Proof of Property 2 

A simple comparison of (5) and (7) suggests what needs to be done to obtain 
2”/^ I q( )) efficiently starting from I tf'ij*). Assume the input register y= y 0 
(g) y ~ 7 ^ 2 " is in the basis state | ). The first step is to add the phase 

(— in front of each term in the sum of (5). Note that, for every G 

{0 1 }”, this is a unitary mapping on Keep® Open® Commii- It is sufficient 
to execute a circuit 0 i which, for each S {1 n}, acts on the corresponding 

pair of qubits in y 0 commit- The circuit 0 i maps each state | ,) 0 | „( )i), 
= 1 n, into (— J 0 I „( )j)). It can easily be implemented 
as 0 1 = (H0 1 Commit ) ' CNot • (H0 1 Commit ) where each H is applied to register y 
and where register commit encodes the control bit of the CNot gate. We denote 
by 0n the complete quantum circuit acting in y ® Commit and applying 0i 
to each pair G {1 n} of qubits | i) 0 | „( )i) G y0 commit- 

The second step is to set the register Commit which contains the state 

I n( )}+" into the new state | )x». For this we use the composition of three 
circuits. The first circuit : I ) Open^l^^ Commit ^ | )Open^|^^ ^-^Commit 

sets the quantum register Commit into the new state |0)+n. Note that Uo-„ is 
the quantum circuit that is guaranteed to compute „( ) efficiently. The second 
circuit is 0 „ : I 0 Commit I 0 I q^y^-jCommit gg^g Commit intO 

the state | )+» by simply applying a CNot between registers commit y — 
for G {1 n}. Finally the third circuit executes the Hadamard transform H„ 

on Commit which maps the 0" basis into the x ” basis (it is simply n Hadamard 
gates H G T/tJ) . The composition of 0„ with these three circuits is the circuit W„ 
shown in Fig. 1. This circuit allows to generate any 2”/^| q( )) for G {0 1}”. 
Moreover, it is easy to verify that ||W„||;^g = ||UCT„||t/s + The following is a 
straightforward consequence of these three properties, the definition of W„ and 
the above discussion: 
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Fig. 1. Transformation W„. 



Lemma 2. If there exists a (1 {n))-successful adversary against commiti;_„ 
then there exists an adversary against S with time-success ratio 

R{n) < (n) \\\J „J\ug + 5n 

It follows that the adversary against S has about the same complexity than the 
one against the binding condition of commiti;_„ . In the next section, we show 
that the same technique can be applied to the case where the adversary does 
not implement a perfect attack against commiti;_„ . 

7 The General Case 

In this section, we are considering any attack that yields a non-negligible success 
probability to a cheating committer. In terms of Definition 2, such an adversary 
A = {(Cq Uq ^)}„ must be (e(n) (n))-successful for some e{n) > I o (n) > 
0. In order for the attack to be efficient, (n) must also be upper bounded by 
some polynomial. 

In general, the 0-state \'I'q) and 1-state |<?'”) of adversary A can always be 
written as in (3) and (4) respectively. In this general case, the probability of 
success of unveiling the bit w, i.e. the probability of not being caught cheating, 
is the probability of the event A announces a value and the outcome of ’s 
measurement happens to be n( )■ One can see easily that this probability is 
given by : 

= (8) 

V 

If the adversary A is (e(n) (n))-successful then 

S^ + Sf>l + e(n) (9) 

In that setting, our goal is to show that from such an adversary A, ) can 

be computed similarly to the perfect case and with probability of success at 
least 1 o (n) whenever Gfi {0 1}” and e(n) ^ is smaller than some positive 
polynomial. 



7.1 The Inverter 

Compared to the perfect case, the inverter for the general case will involve an 
extra step devised to produce a perfect {I'q) from the initial and imperfect 0-state 
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Although this preprocessing will succeed only with some probability, any 
(n))-successful adversary can distill \'1 /q) from \^q) efficiently and with 
good probability of success. From the inverter then proceeds the same way 
as in the perfect case. 

The distillation process involves a transformation T„ acting in Open ® 
Commit T where T — ^ 2 " is an extra register. We define T„ as: 

T„ : I )Commit^ ^Open| ^Commit ^ „( ) 0 0 (10) 



Clearly, one can always write 



0 | 0 )^) = ^ „( )0 f 



+HI7; 



^<7n{x)\Keep\ \Open 



)) 



Commit 



|o)^ 



( 11 ) 



Upon standard measurement of register t in state |0), the adversary obtains 
the quantum residue (by tracing out the ancilla): 



|iFo") = ^ O I O I n{ 

X 



(12) 



where = _^\^x,a„{x)^Keep ^ probability 

V ^0 



si = Y.\H 






It is easy to verify that T„ can be implemented by a quantum circuit of 
0{\\\J a„\\ug) elementary gates. On input Gfi {0 1}”, the inverter then works 
exactly as in the perfect case. In Fig. 2, the quantum circuit for the general 
inverter I))( ) is shown. The input quantum register is y and the output 
register is Open- The output is the outcome of the standard measurement M„ 
applied to the output register Open which hopefully contains = lf^( ). The 




Fig. 2. The inverter I))( ) £ {0 1}” obtained from adversary A = (Cq Uq j^). 



following lemma is straightforward and establishes the efficiency of the inverter 
in terms of the efficiency of A’s against commity_„ : 
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Lemma 3. If A is (• (n)) -successful then 

\\1^{ )\\ug&0{ (n) + ||U.„|U) 

It should be noted that gates 0„ and H„ appearing in circuit W„ are not taken 
into account in the statement of Lemma 3. The reason is that none of them 
influence the final outcome since they commute with the final measurement in 
Open- They have been included in W„ to help the reader with the analysis of 
the success probability described in the next section. 



7.2 Analysis of the Success Probability 

Let A = {(Cq Uo_i)}n>o be any (e(n) -)-successful adversary for some e{n) > 0 
thus satisfying > 1 + e{n). Let be the projection operator P® 

applied to register open- We recall that IP commit P’commit *he projection 

operators and respectively, acting upon register Commit- We now 
define the two projection operators: 

P0= T. ^hpen<^Ki±l^^<iPl= E ^hpen<P>^ci±l (13) 

ajelO,!}” a:e{0,l}" 



which have the property, using (8), that S§ = |jPo|l^o')|P and = |jPi|<^”)|p. 
Next lemma relates the success probability to projections Pq and Pi. 

Lemma 4. The probability of success s of inverter ) satisfies 

s = \\PiVliPo\K)\\^ 



Proof: We recall that the probability of success is defined in terms of a uni- 
formly distributed input . We will first compute the probability s( ) that the 
inverter succeeds on input G {0 1}”. Assume that right after gate T„, the 
register t is observed in state |0). The registers au 0 y have now collapsed 
to the state | 0 where I^q) is the state PoI^q) after renormalization. 

Note that \Tq) is a perfect 0-state. This event has probability ||Po|^o)|P = Sq 
to happen according to (12). Next the circuit W„, with encoded in y, uni- 
tarily maps the state \Tq) into the state 2”/^| q( )) = commit \'^o) (s®® 
Sect. 6). Then the circuit returns the state ‘PA^'^P^Commit'^ 0,1 Wo)- Finally, 
the register Open is measured and the probability of success given the initial 






^ (y) in>y,x TTn 

t-Q/ 10 ||Z. ■ ^Open ^Commit ^0,1 1=^0 

pn)||2 ^ 2"||pgi") 

eraging over all values of the uniformly distributed variable 



state I’Z'n 



5^2" 



is ||2"/2l 

I ^ (y) TpyjX TTr 

'Open ^Commit *^0,1 



. Using (12), we get that s( ) = 



>y>X jrn ry 

Commit *^0,1 -*0 



n 



Av- 



we obtain: 



j;: 2-“ .( ) = II (i 

ye{o,i}" ye{o,i}" 



" (y) 

Open 






C:mmit)VhPoWS 



J2^0len^^^^cLmit jU^.l^ol-Fo") f = || I >^ 0 ") f (14) 

Vy6{0.1}" / 
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where (14) is obtained from the fact that {^open ® ^ 

orthogonal projections and from Pythagoras theorem. □ 

We are now ready to relate the probability of success for the inverter given 
a good adversary against the binding condition of commiti;_„ . 

Lemma 5. Let be the inverter obtained from a {Sq + Sf — 1 ■)-successful 
adversary A with Sq+S^ > l-l-e(n) for e(n) > 0 for alln > 0. Then the success 
probability s to invert with success a random image element satisfies 




Proof: Using lemma 4, we can write 

= ||PiU^.i|<^o") - PiVliP^\T-)\\^ = mTf) - 
Using the triangle inequality and > 1 — 5^, we are led to 

> (iiJ’ii-^r)ii - liJ’o i-^o")ii)' = (/?- ^1^) 

□ 

From Lemma 5 and a few manipulations, we conclude that Sq + >1-1- 

e{n) implies that « > e(n)^ 4. In addition, if e{n) e ^( poil(n ) ) ^ 

0( o (n)) then the inverter works in polynomial time with probability of success 
in 17(1 o (u)^). 

8 Conclusion 

The concealing condition is established unconditionally by Lemma 1. Lemmas 3 
and 5 imply that any (S'(n) (n))-successful adversary against commiti;_„ can 
invert the family of one-way permutations S with time-success ratio roughly 
(n) S'(n)^. We finally obtain: 

Theorem 1. Let E be a R{n)-secure family of one-way permutations. Proto- 
col commiti;_„ is unconditionally concealing and R' (n) -binding where R'{n) € 
f2{^R{n)). 

Our reduction produces only a quadratic blow-up in the worst case between 
the time-success ratio of the inverter and the time-success ratio of the attack. 
Compared to NOVY’s construction, the reduction is tighter by several degrees of 
magnitude. If E is (n) 5(n)-secure with G 0(^/ (^) then the reduction 
is optimal. 

In order for the scheme to be practical, the receiver should not be required 
to store the received qubits until the opening phase. It is an open question 
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whether or not our scheme is still secure if the receiver measures each qubit 
i upon reception in a random basis 0^ Gfl {+ x}. The opening of w G {0 1} 
being accepted if each time 6i = 0{w), the announced G {0 1}” is such that 
[ n( )]i = ~i- That way, the protocol would require similar technology than the 
one needed for implementing the BB84 quantum-key distribution protocol [2] . 

It is also not clear how to modify the scheme in order to deal with noisy 
quantum transmissions. Another problem linked to practical implementation is 
the lack of tolerance to multi- photon pulses. If for w G {0 I}, the quantum 
state I x)e(w) ® | x)e(w) is sent instead of | x}e(w) then commiti;_„ is no more 
concealing. Moreover, it is impossible in practice to make sure that only one 
qubit per pulse is sent. 

Our main open problem is the finding of candidates for families of quantum 
one-way permutations or functions. If a candidate family of quantum one-way 
functions was also computable efficiently on a classical computer then classical 
cryptography could provide computational security even against quantum ad- 
versaries. It would also be interesting to find candidates one-way functions that 
are not classical one-way. Quantum cryptography could then provide a different 
basis for computational security in cryptography. 

Acknowledgements. Thanks to Ivan Damgard for several enlightening discus- 
sions and to Peter Hpyer for helping with the circuitry. Thanks also to Alain 
Tapp for helpful comments on earlier drafts. 
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Abstract. We show that verifiable secret sharing (VSS) and secure 
multi-party computation (MFC) among a set of n players can efficiently 
be based on any linear secret sharing scheme (LSSS) for the players, 
provided that the access structure of the LSSS allows MFC or VSS at 
all. Because an LSSS neither guarantees reconstructability when some 
shares are false, nor verifiability of a shared value, nor allows for the 
multiplication of shared values, an LSSS is an apparently much weaker 
primitive than VSS or MFC. 

Our approach to secure MFC is generic and applies to both the informa- 
tion-theoretic and the cryptographic setting. The construction is based 
on 1) a formalization of the special multiplicative property of an LSSS 
that is needed to perform a multiplication on shared values, 2) an efficient 
generic construction to obtain from any LSSS a multiplicative LSSS for 
the same access structure, and 3) an efficient generic construction to 
build verifiability into every LSSS (always assuming that the adversary 
structure allows for MFC or VSS at all). 

The protocols are efficient. In contrast to all previous information-theo- 
retically secure protocols, the field size is not restricted (e.g, to be greater 
than n). Moreover, we exhibit adversary structures for which our pro- 
tocols are polynomial in n while all previous approaches to MFC for 
non-threshold adversaries provably have super-polynomial complexity. 



1 Introduction 

Secure multi-party computation (MFC) can be defined as the problem of n play- 
ers to compute an agreed function of their inputs in a secure way, where security 
means guaranteeing the correctness of the output as well as the privacy of the 
players’ inputs, even when some players cheat. A key tool for secure MFC, in- 
teresting in its own right, is verifiable secret sharing (VSS): a dealer distributes 
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a secret value s among the players, where the dealer and/or some of the players 
may be cheating. It is guaranteed that if the dealer is honest, then the cheaters 
obtain no information about s, and all honest players are later able to recon- 
struct s. Even if the dealer cheats, a unique such value s will be determined and 
is reconstructible without the cheaters’ help. 

It is common to model cheating by considering an adversary who may cor- 
rupt some subset of the players. One can distinguish between passive and active 
corruption. Passive corruption means that the adversary obtains the complete 
information held by the corrupted players, but the players execute the protocol 
correctly. Active corruption means that the adversary takes full control of the 
corrupted players. It is (at least initially) unknown to the honest players which 
subset of players is corrupted. Trivially, secure MFC is impossible if any subset 
can be corrupted. The adversary’s corruption capability is characterized by an 
adversary structure [25] A, a family of subsets where the adversary can corrupt 
any subset in A. This is called an ^-adversary. The adversary structure could 
for instance consist of all subsets with cardinality less than some threshold value 
t. Of course, an adversary structure must be monotone, i.e. if A G A and B (Z A, 
then B G A. 

Both passive and active adversaries may be static, meaning that the set of 
corrupted players is chosen once and for all before the protocol starts, or adaptive 
meaning that the adversary can at any time during the protocol choose to corrupt 
a new player based on all the information he has at the time, as long as the total 
corrupted set is in A. 

Two basic models of communication have been considered in the literature. 
In the cryptographic model [24], all players are assumed to have access to mes- 
sages exchanged between players, and hence security can only be guaranteed in a 
cryptographic sense, i.e. assuming that the adversary cannot solve some compu- 
tational problem. In the information-theoretic (abbreviated i.t., sometimes also 
called secure channels) model [5,10], it is assumed that the players can commu- 
nicate over pairwise secure channels, and security can then be guaranteed even 
when the adversary has unbounded computing power. 

An MFC protocol simulates an ideal setting in which the players give their 
inputs to a trusted party who computes the result and gives it back to the 
players. Security means that whatever an adversary can do in the real protocol 
he could essentially also do in the ideal setting. This assures both privacy and 
correctness. There are several technically different proposals for formalizing this 
(see e.g. [1,28,8]). While either definition could be used for a formal security 
proof of the protocols in this paper, any such proof would by far exceed the 
space limitations. Instead, we include sketches of proofs, generic enough to fit 
any of the definitions. 

The outline of the paper is as follows: In Section 2 we review come previous 
work. In Section 3 we introduce some terminology and concepts, state the results 
and explain the role they play in comparison with earlier results. The technical 
results on LSSS are proved in Section 4. The protocols we propose are described 
in sections 5, 6 and 7. 
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2 Previous Work 

The classical MFC results in the information-theoretic model due to Ben-Or, 
Goldwasser and Wigderson [5] and Chaum, Crepeau and Damgard [10] who 
showed that every function can be securely computed in presence of an adaptive, 
passive adversary, resp. an adaptive, active adversary if and only if the adversary 
corrupts less than n/2, resp. less than n/3 players. When a broadcast channel 
is available, and one accepts a non-zero probability that the protocol computes 
incorrect results, then one can tolerate less than n/2 active cheaters [30,29]. 

The most general previous results for the cryptographic model are by Gol- 
dreich, Micali and Wigderson [24] who showed that, assuming trapdoor one-way 
permutations exist, any function can be securely computed in presence of a 
static, active adversary corrupting less than n/2 players and by Ganetti et al. 
who show [9] that security against adaptive adversaries in the cryptographic 
model can also be obtained. VSS was introduced in [11]. 

All results mentioned so far only apply to threshold adversary structures. 
Gennaro [22] considered VSS in a non-threshold setting, and Hirt and Mau- 
rer [25] introduced the concept of an adversary structure and characterized ex- 
actly for which adversary structures VSS and secure MPG is possible. Let 
resp. be the conditions on an adversary structure that no two, resp. no three 
of the sets in the structure cover the full player set V. The result of [25] can then 
be stated as follows: In the information-theoretic scenario, every function can 
be securely computed in presence of an adaptive, passive A-adversary, resp. an 
adaptive, active M-adversary if and only if A is Q^, resp. A is Q^. Beaver and 
Wool [2] propose a somewhat more efficient protocol for the passive case. The 
threshold results of [5], [10], [24] and [29] are special cases, where the adversary 
structure contains all sets of size less than n/2 or n/3. 

This general model leads to strictly stronger results. For instance, in the 
case of 6 players {Pi, . . . , Pq\ and active corruption, one can obtain a protocol 
secure against the structure with maximal sets {{Pi}, {P 2 ,P 4 |, {P 2 ,P 5 ,P 6 |, 
{^ 3 )^ 5 }) {^ 3 )^ 6 }) whereas threshold type results tolerate only 

active cheating by a single player. 



3 Results of this Paper 

In this paper, we consider linear secret sharing schemes (LSSS). An LSSS is 
defined over a finite field K, and the secret to be distributed is an element in 
K. Each player receives from the dealer a share consisting of one or more field 
elements, each share is computed as a fixed linear function of the secret and 
some random field elements chosen by the dealer The size of an LSSS is the 
total number of field elements distributed. Only certain subsets of players, the 
qualified sets, can reconstruct the secret from their shares. Unqualified sets have 
no information about the secret. The collection of qualified sets is called the 

^ A seemingly weaker definition requires only that the reconstruction process be linear, 
however, this is essentially equivalent to the definition given here [3]. 
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access structure of the LSSS, and the collection of unqualified sets is called the 
adversary structure. 

Most proposed secret sharing schemes are linear, but the concept of an LSSS 
was first considered in its full generality by Karchmer and Wigderson who in- 
troduced the equivalent notion of Monotone Span Programs (MSP) which we 
describe in detail later. MSP’s and LSSS’s are in natural 1-1 correspondence. 

The main goal in our paper is to provide an efficient construction which from 
any LSSS with adversary structure A builds MPC and VSS protocols secure 
against M-adversaries (whenever this is possible). There are several motivations 
for this. First, basing VSS and MPC on as simple and weak a primitive as 
possible can help us design simpler and more efficient protocols because it is 
easier to come up with an implementation of a simpler primitive. Indeed, a wide 
range of general techniques for designing secret sharing schemes are known, e.g., 
Shamir [31], Benaloh-Leichter [4], Ito et al. [26], Bertilsson and Ingemarsson [6], 
Brickell [7] and van Dijk [16]. All these techniques result in LSSS’s, and therefore 
are directly applicable to VSS and MPC by our results. Secondly, since LSSS’s 
can be designed for any adversary structure, our approach allows us to build 
protocols handling any adversary structure for which VSS and MPC is possible 
at all. For some adversary structures this provably leads to an exponentially 
large efficiency improvement over known techniques, as we shall see. 

We first give a brief overview of our basic approach: consider first the case 
where the adversary is passive. It is then trivial to add secrets securely: Each 
player holding an input shares it using the given LSSS, and each player adds up 
the shares he holds. By linearity of the LSSS, this results in a set of shares of 
the desired result. 

Therefore, to do general MPC, it will suffice to implement multiplication 
of shared secrets. That is, we need a protocol where each player initially holds 
shares of secrets a and b, and ends up holding a share of ab. Such protocols are 
described for the threshold case in [24,5,10] and more recently in [23], based on 
Shamir’s secret sharing scheme. We show below that the latter generalizes to 
work for any LSSS, provided that the LSSS is what we call multiplicative. 

Loosely speaking, an LSSS is multiplicative if each player Pi can, from his 
shares of secrets a and b, compute a value Cj, such that the product ab can be 
computed as a linear combination of all the Cj’s. It is strongly multiplicative 
if ab can be obtained using only values from honest players (we give a precise 
definition later). 

With these techniques, using a multiplicative LSSS to implement passively 
secure MPC is quite straightforward. However, the multiplication property seems 
to require a very special structure in the LSSS. Nevertheless we show, perhaps 
somewhat surprisingly, that multiplicativity can be assumed without loss of gen- 
erality: we give an efficient procedure that transforms any LSSS into a multi- 
plicative LSSS of size at most twice that of the original one. 

Finally, we consider the case of an active adversary. Basically, the same tech- 
niques as for the passive case will apply, provided we can build a linear verifiable 
secret sharing scheme from any given LSSS. We show that this can be done given 
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a commitment scheme with certain convenient homomorphic properties. And we 
then build such a commitment scheme based also on the LSSS. With this VSS 
and the techniques described earlier for multiplication, an MFC protocol for 
active adversaries follows easily. 

Thus, for the i.t. scenario, our main results are as follows: 

Theorem 1 For any field K and any LSSS M with adversary structure 
A, there exists an error-free VSS protocol in the information-theoretic scenario, 
secure against any active and adaptive A-adversary. The protocol has complexity 
polynomial in the size of M. and log \ K\. 



Theorem 2 For any field K, any arithmetic circuit C over K, and any LSSS 
A4 with adversary structure A, there is an error-free MFC protocol computing 
C in the information theoretic scenario, secure against any adaptive and passive 
A-adversary. The complexity of the protocol is polynomial in \C\, log|A'|, and 
the size of M.. 



Theorem 3 For any field K, any arithmetic circuit C over K, and any LSSS 
A4 with adversary structure A, there is an MFC protocol computing C in 
the information-theoretic scenario, secure against any adaptive and active A- 
adversary. The complexity of the protocol is polynomial in \C\, log \ K\, the size 
of Ai and a security parameter k, where the error probability is exponentially 
small in k. Lf M. is strongly multiplicative, there exists an error-free protocol for 
the same purpose, with complexity polynomial in \C\, log|A'| and the size of A4. 

The statement of these results shows what can be done starting from a given 
LSSS. In practice, it may be that an adversary structure A is given by the 
application, and one wants the most efficient VSS or MFC possible for that 
structure. Our results show that we can build such protocols starting from any 
LSSS with a (or Q^) adversary structure containing A. Such an LSSS always 
exists, by the results from Section 4. This leads naturally to a complexity measure 
for adversary structures, namely the size of the smallest LSSS that will work in 
this construction. From this perspective, our results show that the complexity 
of doing VSS/MFC secure for adversary structure A is upper bounded by the 
LSSS complexity of A, up to a reduction polynomial in the number of players. 

To compare our results to those of [25,2] in terms of efficiency, we note that 
simple inspection of the protocols show that ours are more efficient by an additive 
polynomial amount for any non-threshold adversary structure. Moreover, the 
improvement can be much larger in some cases: we can show that there exists a 
family {-4„}„=i,2... of adversary structures (where An is a structure on n players) 
for which our results lead to protocols that are polynomial time in n whereas 
any construction based on [25] or [2] has super-polynomial complexity. 

The proof of this result has been omitted for lack of space (but can be 
found in [32]). As an illustration, we describe a natural example of a family of 




General Secure Multi-party Computation 321 



structures, for which no previous solutions is known to work efficiently but for 
which linear size LSSS’s can be built easily. 

Suppose our player set is divided into two groups X and Y oi m players 
each (n = 2m) where the players are on friendly terms within each group but 
tend to distrust players in the other group. Hence, a coalition of active cheaters 
might consist of almost all players from X or from Y, whereas a mixed coalition 
with players from both groups is likely to be quite small. Concretely, suppose we 
assume that a group of active cheaters can consist of at most 9m/ 10 players from 
only X or only Y, or it can consist of less than m/5 players coming from both X 
and Y. This defines a adversary structure, and so multi-party computations 
are possible in this scenario. Nevertheless, no threshold solution exists, since the 
largest coalitions of corrupt players have size more than n/3. It can be shown 
that no weighted threshold solution exists either for this scenario. 

Note that it is trivial to give linear size monotone formulae characterizing 
these structures (when arbitrary threshold functions are allowed as operators), 
and hence efficient LSSS’s for these structures follow immediately by results 
from [4]. Therefore, our techniques can be used to build efficient MFC in these 
scenarios. No efficient construction is known using the protocols from [25,2]. 

It is natural to ask if the results can be improved, i.e., can we base VSS/MPC 
on a even weaker primitive, for example an arbitrary secret sharing (SS) scheme? 
This would be the best we could hope for since VSS trivially implies SS. Recently, 
Cramer, Damgard and Dziembowski [13] have shown that while VSS can indeed 
be based on arbitrary SS schemes (by an efficient black-box reduction), there 
exists no black-box reduction reducing MFC to SS that is efficient on all relevant 
adversary structures. Thus, any generally efficient reduction would have to rely 
on special properties of the SS scheme, such as linearity. Hence, improving our 
MPC results in this direction seems like a highly non-trivial problem. 

Remarkably, the situation for the cryptographic scenario is quite different. 
We have the following generalization of the threshold result from [24] (where 
the complexity of an SS scheme is defined as the complexity of distributing and 
reconstructing a secret) 

Theorem 4 Let C he an arithmetic circuit over a finite field K, let A he a 
adversary structure, and let S he an SS scheme over K for which all sets in A are 
non-qualified and all complements of sets in A are qualified. If trapdoor one-way 
permutations exist, then there exists a secure MPC protocol computing C in the 
cryptographic scenario, secure against any active and static A-adversary. It has 
complexity polynomial in \C\, the complexity of S, and the security parameter k. 

The assumptions in this result are essentially minimal, but it does not lead to 
very practical protocols. However, if S is an LSSS and one-way group homomor- 
phisms with specific extra properties exist, so-called g-one-way group homomor- 
phisms [12], then very efficient protocols can be built. Particular assumptions 
sufficient for the existence of q-one way group homomorphisms include the RSA 

^ The proofs of the results in the cryptographic setting have been omitted for lack of 
space, they can be found in [32]. 
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assumption, hardness of discrete logarithm in a group of prime order, or the 
decisional Diffie-Hellman assumption. As an example of what one obtains for 
the most efficient implementation of the primitives, we state the following: 

Theorem 5 Let C he an arithmetic circuit over K = GF{q) for a k-bit prime 
q, and let A be a adversary structure. If Diffie-Hellmann based probabilistic 
encryption in a group of order q is semantically secure, then there exists an MFC 
protocol computing C for the cryptographic scenario secure against any active 
and static A-adversary. It has communication complexity 0{k • \ C\{yiaF(q){A))'^) . 

4 Multiplicative Monotone Span Programs 

As mentioned earlier. Monotone Span Programs (MSP) are essentially equivalent 
to LSSS’s (see e.g. [3]). It turns out to be convenient to describe our protocols 
in terms of MSP’s, which we do for the rest of the paper. This section contains 
some basic definitions, notation and results relating to MSP’s. 

We first fix some notation for later use: The set of players in our protocols will 
be denoted by P = {Pi, Consider any monotone Boolean function / : 

|0,1}”^{0,1}. By identifying subsets of P with their characteristic vectors^, 
we can also apply / to subsets of P. A set S C P for which f(S) = 0 (or 
f(S) = 1) is said to be rejected (or accepted) by /. The function / hence defines 
naturally an adversary structure, denoted Af, consisting of the sets rejected 
by /. Conversely, an adversary structure A defines a monotone function f 
rejecting exactly the sets in A. 

For two vectors x and y over a field P, x 0 y denotes the matrix whose 
z-th column is XiY, where Xi is the z-th coordinate of x. If x and y have the 
same length, then (x, y) denotes the standard scalar product. A d x e matrix M 
defines a linear map from to K'^. Im M denotes the image of this map, i.e. 
the subspace of K'^ spanned by the columns of M . Ker M denotes the kernel 
of M, i.e. Ker M = |x G K® : Mx = 0}. For the subspace P of a finite- 

dimensional vector space over K, the dual is defined as the subspace of 
vectors whose scalar product is 0 with all vectors in P. It is a basic fact from 
linear algebra that for any field K, (P"'")''" = P and this immediately implies 
that (Ker M)-^ = Im (M^), which we refer to as duality argument. 

Definition I A Monotone Span Program M. is a triple where K 

is a finite field, M is a matrix (with d rows and e < d columns) over K and 
ip : {1, . . . , d} — > {I, . . . , rz} is a surjective function. The size of A4 is the 
number of rows (d). 

■if labels each row with a number from [1, . . . , rz] corresponding to a player in P, 
so we can think of each player as being the “owner” of one or more rows. 

The characteristic vector of a set S' is a vector in {0, 1}” whose z-th component is 1 
if and only if Pi G S. 



3 
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In the following, if M is the matrix of an MSP, and ^ is a subset of the 
players, then Ma denotes M restricted to those rows i with ip{i) G A. Similarly, 
if X is a d- vector, then denotes x restricted to the coordinates i with G A. 

A4 yields a linear secret sharing scheme as follows: to distribute s G K the 
dealer chooses a random vector p G and writes b := (s, p ). For each 

row X in M, the scalar product (x, b) is given to the owner of x. We will denote 
the d- vector thus distributed by M(s, p). It turns out that a set of players can 
reconstruct s precisely if the rows they own contain in their linear span the target 
vector of Ai which we have here globally fixed to be (1, 0, 0) (without loss of 
generality). Otherwise they get no information on s (see [27] for a proof of this). 
We note that the size of M is also the size of the corresponding LSSS. 

The function computed by M. is the monotone function accepting precisely 
those subsets that can reconstruct the secret [27] . It is well-known that for every 
field K, every monotone Boolean function is computed by some MSP over K. 
For a monotone function /, msp;^(/) will denote the size of the smallest MSP 
over K computing /. We refer to [19] for a characterization of MSP complexity 
in terms of certain combinatorial structures. 

We now look at doing multiplication of values shared using MSP’s. If secrets 
a and b have been shared using Shamir’s secret sharing scheme to obtain shares 
(oi, .., On) and (6i, ..., 6„), respectively, it is immediate (see [23]) that ab can be 
computed as a linear combination of the values Oibi, where each such value can 
be computed locally by a single player. This can be generalized to LSSS’s based 
on MSP’s: 

Given two d-vectors x = {x\, ...xj),y = {y\, ..., 2 /d), we let xoy be the vector 
containing all entries of form Xi ■ yj, where tp{i) = 'tpij). Thus, if di is the number 
of rows owned by player i, then xoy has m = df entries. Hence if x and 
y are the share- vectors resulting from sharing two secrets using Ai, then each 
component of the vector xoy can be computed locally by some player. 

Definition 2 A multiplicative MSP is an MSP Ai for which there exists an 
m-vector r, called a recombination vector, such that for any two secrets s, s' and 
any p, p' , it holds that 

s-s'=(r,M(s, p) o M{s' , p')). 

We say that Ai is strongly multiplicative if for any player subset A that is 
rejected by Ai, Ai^ is multiplicative. 

The case of strong multiplication generalizes the threshold case with at most 
t corrupted players where we share secrets using polynomials of degree t < n/3. 
After multiplying points on two polynomials, the honest players can reconstruct 
the product polynomial on their own. 

We define pnif) to be the size of the smallest multiplicative MSP over K with 
computing / (oo if / cannot be computed). Similarly, p*x{f) is the complexity 
of / using strongly multiplicative MSP’s. By definition, we have msp;^(/) < 
t^Kif) < M/c(/)- We now characterize the functions that (strongly) multiplicative 
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MSP’s can compute, and show that the multiplication property for an MSP can 
be assumed without loss of efficiency. 

Theorem 6 For every finite field K and every monotone function f we have 
h-K(f) < oo if and only if f is , and fixif) < oo if and only if f is Q^. 



Theorem 7 There exists an efficient algorithm which, on input an MSP Ai 
computing a function f, outputs a multiplicative MSP Ai ' (over the same 
field) computing f and of size at most twice that of A4. In particular pixif) < 
2 • mspj^{f) for any K and f. 

We do not know if a similar result is true for strongly multiplicative MSP’s. 
But results which can be found in [32] show some upper bounds on their size, 
and give methods for constructing strongly multiplicative MSP’s. 

Proof of Theorem 7. We make some observations first. Let /o and fi 
be monotone functions, computed by MSP’s AAq = and A4i = 

(K, Ml, if), respectively, where Mq and M\ are dxe matrices, where the mapping 
if is identical for both MSPs, and where the target vector is t = (1,0,..., 0). 
Now suppose that the matrices Mq and Mi satisfy 

M^Mi = E, ( 1 ) 

where if is Co x ci matrix that is zero everywhere, except in its upper-left corner 
where the entry is 1. Next we prove the following claim. 

Claim: From MSP’s A4q and Aii as defined above, one can construct a multi- 
plicative MSP computing /o V fi of size at most 2d. 

Proof of Claim: Consider the following straightforward LSSS. The dealer 
shares the secret s G K using LSSSq and LSSSi, given hy AAq and AAi, respec- 
tively. That is, he selects a pair of vectors (bo,bi) at random, except that the 
first entries are both s: (<,bo) = (t,bi) = s. Then he computes the pair of vec- 
tors (so, si) = (Mobo, Mibi), and sends for z = 1, . . . , n the z-th coordinates of 
So and Si to player P^(i). It is clear that a subset A of the players can reconstruct 
s from their joint shares if and only if A is accepted by the function /o V /i, i.e. 
A must be qualified w.r.t. either LSSSq or LSSSi. 

Now we look at multiplication. Assume that s' € K is a secret with full set 
of shares (so,s() = (MobQ,Mibj), where (tyb'g) = (t,bj) = s'. Let Sq * s( be 
the d- vector obtained by coordinate- wise multiplication of Sq and s( . Then from 
(1) we have 

( 1 , Sq * sj) = Sqs'i = hg Mq Mih'i = hgEh'i = ss' , (2) 

where 1 denotes the all-one vector of appropriate length. Note that for each z, 
the shares in the z-th coordinate of Sq and the z-th coordinate of s( are held by 
the same player. 

We now build an MSP A4 with a 2d by 2e matrix M as follows: first make a 
matrix M' filled in with Mq in the upper left corner and Mi in the lower right 
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corner. Let k be the column in M' that passes through the first column of Mi. 
Add k to the first column of M' and delete k from the matrix. Let M be the 
result of this. The labeling of M is carried over in the natural way from Ado and 
Adi. Clearly, Ad corresponds exactly to the LSSS we just constructed. It is clear 
that the vector (sq, Si) o (sq, contains among its entries the entries of Sq * 
Thus the vector with I’s corresponding to these entries and O’s elsewhere can 
be used as recombination vector, which shows that Ad is multiplicative. This 
concludes the proof of the claim. 

We are now ready to prove Theorem 7. Recall that the dual function f* of 
/ is defined by: f*{x) = f{x). We assume in the following that / is i.e. 
f{x) = 0 implies f{x) = 1 and thus f*{x) = 0. It follows that f = f y f* ■ 

Let Ad = {K, M, Ip) be an MSP computing /, with target vector equal to 
t= (1,0,... ,0). To build a multiplicative MSP for /, we apply the above claim. 
We set /o = f, fi = f* and Ado = Ad. It is then sufficient to find Adi computing 
/i = f* so that the pair Mq, Mi satisfies equation (1). 

In [20] a construction is presented which, given an MSP Af = {K, N, ip) of 
size d computing / (and with target vector (1, . . . , 1)), yields a “dual” MSP 
Af* = (K,N*,ip) computing f* (also with target vector (1,... ,1)). The con- 
struction is as follows. N* has also d rows and the same labeling as N and 
consists of one column for each set A accepted by /, namely a (reconstruction) 
vector A satisfying A^TV = (1, . . . ,1) and A^ = 0. The matrix N* has generally 
exponentially many columns, but it is easy to see that any linearly independent 
generating subset of them (at most d) will also constitute a matrix of an MSP 
for the same access structure. This construction process if used directly is not 
efficient, but the matrix N* can be constructed efficiently, without enumerat- 
ing all columns [17]. It follows from the construction that N’^ N* is an all-one 
matrix, which we call U. 

In our case the target vector of Ad is t = (1, 0, ..., 0) instead of (1, ... , 1), 
but the target vector can be transformed by adding the first column of M to 
every other column of M. More formally, let H be the isomorphism that sends 
an e- (column) vector to an e- (column) vector by adding its first coordinate to 
each other coordinate. Write N = MH'^ . Then the MSP A/” = (K,N,ip) is as Ad 
except that the target vector is all-one. Now let AA* = {K, N*, ip) be its dual MSP 
as constructed above. Finally write M* = N*{H~^)'^ . Then Ad* = {K, M*,ip) 
has target vector t and computes /*. Observe that M’^ M* = H~^U {H~^)^ = 
E, as desired. Theorem 7 follows. A 

Proof of Theorem 6. Since MSP’s compute all monotone functions, it 
follows directly from this fact and Theorem 7 that every Q^-function is com- 
puted by a multiplicative MSP. This also follows from secret sharing scheme 
used in [2], and this argument can be extended to prove that every Q^“fuRction 
is computed by a strongly multiplicative MSP. We conclude the proof by show- 
ing that multiplicative MSP’s compute Q^-functions. The proof in the Q^“Case 
is similar, and is omitted. 

Let Ad = {K, M, Ip) be an MSP with target vector t computing a monotone 
boolean function f on n input bits, and let Af he the adversary structure asso- 
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dated with /. Suppose that A4 is multiplicative, but that -4/ is not Thus, 
there exists a set ^ C {1, . . . , n} such that AU A = {1, . . . ,n} and A,Ag Af. 
The latter implies that neither the rows of Ma nor those of span t. Hence, 
by the duality argument there exist vectors n and n' , both with first coordinate 
equal to 1, such that Mah — 0 and M^k! = 0. By the multiplication property, 
on one hand it follows that {v,Mko Mu') = 1, where r is the recombination 
vector. But on the other hand, Mko Mk' = 0, by the choice of k, k', and 
the fact that AU A = n}, so this scalar product must be equal to 0: a 

contradiction. A 



5 Homomorphic Commitments and VSS 

5.1 Preliminaries 

We introduce some conventions and notation to be used in the protocol descrip- 
tions throughout the rest of the paper. We assume throughout (without loss of 
generality, and in accordance with the previous literature) that the function to 
be computed by {Pi, . . . , P„} is given as an arithmetic circuit C of size \C\ over 
some finite field K, consisting of addition and multiplication gates. Our proto- 
cols are described making use of a broadcast channel. But note that in the i.t. 
scenario with an active adversary, we do not assume that such a channel is given 
for free as part of the model, however it can efficiently be simulated using the 
protocol of [18] that is secure against any given adversary structure. 

Let M be an MSP computing a (or Q^) function /. We will assume for 
simplicity that ■(/> is 1 — 1, i.e. each player owns exactly one row in Ai. In this 
case, (oi, ..., a„) o (6i, ..., &„) = (ai5i, ..., a„6„). The generalization to many rows 
per player is straightforward, but would lead to rather complicated notation. 

5.2 Overview of Commitments and Related Protocols 

To prove Theorem 1, it is sufficient to construct, for each MSP A4 = {K, M, ip) 
computing a function /, an efficient VSS that is secure against an active Af- 
adversary. We first discuss generic primitives sufficient to construct an efficient 
VSS protocol and conclude by providing concrete realizations of these primitives. 

A commitment scheme (for a given adversary structure A) consists of two 
protocols: the protocol Commit allows a player Pi (the dealer) to commit to a 
value a and the protocol Open allows him later to reveal the committed value. 
The total information stored by the players after the protocol Commit is called 
the commitment and will be denoted [ a ] i . Both protocols may be interactive pro- 
tocols among the players and result either in the players accepting the outcome, 
or disqualifying the dealer. A commitment scheme must hide the committed 
value in the presence of an A-adversary, and it must bind the dealer to the com- 
mitted value, i.e. there is at most one value that the dealer can get accepted 
during the Open protocol. Both these properties can hold unconditionally, or 
relative to a computational assumption, depending on the scenario. 
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The crucial property we need is that commitments are homomorphic, which 
means that from commitments [a]i and [b]i the players can compute without 
interaction a commitment [a + b]i by Pi to the sum of the values, and that for 
a constant m they can compute [ma]i. Thus, any linear function on commit- 
ted values can be computed non-interactively. Homomorphic commitments have 
been used before in the context of zero-knowledge (e.g. [12]) and are implicit in 
some MFC protocols (e.g. [10]). We need two auxiliary protocols: 

— A commitment transfer protocol (CTP) allows player Pi to transfer a com- 
mitment to player Pj (who of course learns a in the process), i.e. to convert 
[a]i into [a]j. It must be guaranteed that this protocol leaks no information 
to the adversary if Pi and Pj are honest throughout the protocol, but also 
that the new commitment contains the same value as the old, even if Pi and 
Pj are both corrupt. It is therefore less trivial than one might expect. 

— A commitment sharing protocol (CSP) allows player Pi to convert a commit- 
ted value [a]i into a set of commitments to shares of a: [ai]i, ..., [a„]„, where 
(oi, ...,an) = M{a,p) for a random vector p chosen by Pi. This must hold 
even if Pi is corrupt, and must leak no information to the adversary if Pi is 
honest throughout the protocol. 

The CSP protocol is easy to describe at a general level: starting from [a]i, Pi 
chooses a random vector (pi, ...,pe_i) and commits to pi, ...,pe-i, resulting in 
[pi]i, ..., [pe_i]i. Let (oi, ..., On) be the shares resulting from sharing a using the 
Pi’s as random choices. Each Ui is a linear function of the committed values, and 
hence the players can compute [ai]i, [a„]i non-interactively. Finally, Pi uses 
CTP to convert [aj]j into [aj]i, for j = 1, . . . ,n. 

Committing to a and then performing CSP is equivalent to verifiably secret 
sharing (VSS) of a: the commitments to shares prevent corrupted players from 
contributing false shares when the secret is reconstructed. It remains to give 
efficient realizations of commitments and the CTP. 



5.3 Realization of Commitments 

To have a player D commit to a one could have him secret share a using M.. 
However, D may be corrupt and so must be prevented from distributing incon- 
sistent shares. In the special case of threshold secret sharing, this means ensuring 
that all uncorrupted players hold points on a polynomial of bounded degree. For 
this purpose, we propose a protocol that can be seen as a generalization of the 
BGW-protocol from [5] where a bivariate polynomial was used^: 



^ Apart from the threshold case [5], our protocol is a VSS, i.e. efficient reconstruction 
without the help of the dealer is possible, if for each set B whose complement is in A, 
the matrix Mb has full rank. In this case, players should store all information received 
by the dealer to reconstruct efficiently. In general, however, we cannot guarantee 
efficient reconstruction, so we only use it here as a commitment scheme. 
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1. To commit to s G K, D chooses a symmetric e x e matrix R at random, 
except that R has s in the upper left corner.® Let be the row in M assigned 
to Pi and let vf be its transpose (a column vector) . Then D sends to Pi the 
vector Ui = R-'vJ . The share Si of s given to Pi is defined to be the first entry 
of Ui. Hence the product (vj,Ui) := Sij can be thought of as a share of Si 
given to Pj. Note that we have (vj, u^) = {vjR, vj) = (vj, = (vj, Uj). 

2. Pi sends to each Pj the value (vj,Ui), who compares this to (vj,Uj) and 
broadcasts a message complaint{i, j) if the values are not equal. 

3. In response to complaint{i, j), D must broadcast the correct value of s^. 

4. If any player Pi finds that the information broadcast by D does not match 
what he received from D in step 1, he broadcasts an accusation, thus claiming 
that D is corrupt. 

5. In response to an accusation hy Pi, D must broadcast all information sent 
to Pi in step 1. 

6. The information broadcast by D in the previous step may lead to further 
accusations. This process continues until the information broadcast by D 
contradicts itself, or he has been accused by a set of players not in A, or 
no new complaints occur. In the first two cases, D is clearly corrupt and is 
disqualified. In the last case, the commit protocol is accepted by the honest 
players, and accusing players accept the share broadcast for them by D. 

To open a commitment, D broadcasts s and the full set of shares {sj}, and 
each player broadcasts a binary message (” agree” or ” complain” ) . If the shares 
consistently determine s and only a set of players in A complained, then the 
opening is accepted. 

We now explain why this commitment scheme works. First, assume D re- 
mains honest throughout the commit protocol. To show that the adversary ob- 
tains no information about s, note first that steps 2-6 of the commit protocol 
are designed such that the adversary learns nothing he was not already told in 
step 1. Now let A be any set in A, and let MaR denote the information re- 
ceived by the players in A in the commit phase, finally let X be any symmetric 
matrix satisfying the equation MaX = MaR, and having some s S iL in its 
upper-left corner. Since A is rejected by A4, it follows by the duality argument 
that there exists a vector pL = (^i,... , pe) G Ker Ma with pi = 1. Consider 
the matrix fj, ^ p. Note that this matrix is symmetric and that it has 1 in its 
upper-left corner. Then X + {s — s)p^ p satisfies the equation as well, has s in 
its upper left corner and is symmetric. Hence, for each possible s, the number of 
different solutions X with s in the upper left corner is the same, and hence the 
adversary learns no information on s in step 1. Finally note that if D remains 
honest throughout, all honest players will agree with him, so the opening always 
succeeds. 

Now assume that D is corrupt. We know that a set of players not in A, 
i.e. large enough to uniquely determine a secret shared by A4, remain honest 
throughout the commit protocol (this is called a qualified set). Assume wlog 

® One can think of step 1 in this protocol (choosing R) as corresponding to choosing 
a symmetric bivariate polynomial in the VSS protocol of [5]. 
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that these are the first t players. The commit protocol ensures that if D is not 
disqualified then each pair of honest players agree on the value Sij they have in 
common. Furthermore, if Pi is honest, all the s^’s known to him are consistent 
with Ui. Define the symmetric nxn matrix S to be the matrix containing all the 
Sij’s known to players Pi,...,Pt (this leaves entries Sij with z,j > t undefined). 
For i < t, the z’th column determines Si uniquely, as a fixed linear combination of 
the first t entries (since the first t players form a qualified set) . The coefficients in 
this linear combination depend only on M and so are the same for any column. 
It follows that the row of shares (si, ..., s„) is determined as a linear combination 
of the first t rows of S. Since each of these rows consistently determines a secret 
(namely Si for the z’th row), it follows by linearity of MSP secret sharing that 
the row (si, ..., s„) consistently determines some secret s. 

It remains to be shown that opening the commitment must either reveal s or 
be rejected. Assume the opening is accepted. Then consider the full player set 
and subtract the set of corrupt players and the set of players who complained 
about the opening. The remaining set cannot be in A by the property and 
so is qualified. It consists of honest players that did not complain, i.e. the shares 
revealed for them are the same as those received in the commitment phase. Hence 
the revealed value must be s. 

5.4 Realization of the CTP 

The following protocol converts [a]i into [a]j\ 

1. Given a commitment [a]i realized as above with Pi in the role of D, Pi sends 
privately the shares determining a to Pj. If this information is not consistent, 
then Pj broadcasts a complaint, and the protocol continued at step 4. 

2. Pj commits to a (independently), resulting in [a]j. 

3. Using linearity of commitments, Pj opens the difference [a]i— [a]j to reveal 0, 
using the information from step 1 as if he created [a]i himself. If this succeeds, 
the protocol ends. Otherwise do Step 4. 

4. If we arrive at this step, it is clear that at least one of Pi and Pj is corrupt, 
so Pi must then open [a]i in public, and we either disqualify Pi (if he fails) 
or continue with a default commitment to a assigned to Pj. 

6 MPC Secure against Passive Adversaries 

To prove Theorem 2, it is sufficient to construct for each MSP At = (A", M, ip) 
computing a function /, an efficient protocol that is secure against a pas- 
sive ^/-adversary. By Theorem 7 we can assume without loss of generality (or 
efficiency) that A4 is multiplicative. 

The protocol, which is a generalization of a threshold protocol appearing 
in [23] , starts by letting each player share each of his inputs using A4 and send 
a share to each player. The given arithmetic circuit over K is then processed 
gate by gate, maintaining as invariant that all inputs and intermediate results are 
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secret-shared, i.e. each such value a G K is shared (using A4) by shares oi, ..., a„, 
where Pi holds Oi. Moreover, if a depends on an input from an honest player, this 
must be a random set of shares with the only constraint that it determines a. At 
the beginning, only the input values are classified as having been computed. Once 
an output value x has been computed, it can be reconstructed in the obvious 
way by broadcasting the shares xi, ..., It is therefore sufficient to show how 
addition and multiplication gates are handled. Assume the input values to a gate 
are a and b, determined by shares oi, ..., a„ and 6i, respectively. 

Addition. For i= 1, . . . ,n, Pi computes Oi + bi. The shares ai-|-6i, . . . ,a„-|-5„ 
determine a -I- 6 as required by the invariant. 

Multiplication. For i = 1, . . . ,n, Pi computes Oi ■ bi = Ci. 

Resharing step: Pi secret shares Cj, resulting in shares cn, ...,Ci„, and sends 
Cij to player Pj. 

Recombination step: For j = 1, . . . , n, player Pj computes Cj = X^r=i 
where (ri, . . . , r„) is a fixed recombination vector of At. The shares ci, . . . , c„ 
determine c = ab as required by the invariant. 

We do not have space to prove formally the security of this protocol here. 
However, to get a feeling for why it is secure, note first that the addition and 
multiplication step compute correct results simply by linearity of the secret shar- 
ing, and by the multiplication property. To argue that privacy is maintained, the 
crucial point is to show that the sharing of a result c of the multiplication step 
starting from a, b is random with the only restriction that it determines c (the 
corresponding result for addition is trivial) . 

It is easily seen that the set of shares determining c can be written as 
(ci, ..., c„) = M{c, p ), where in fact p — X^r=i '^iPi where p^ was chosen by 
Pi. Let B = {Pi\ ri yf 0}. We claim that B ^ A. Indeed, let M be an MSP with 
multiplication, and let r be a recombination vector. Then B = {Pi\ yf 0} ^ A. 
Towards a contradiction, suppose B G A. By the duality argument, choose k 
such that Mbh = 0 and the first coordinate ki of k is 1. Then by definition 
of the multiplication property we have that 1 = = {r,Mno Mk). But on 

the other hand, since Mb^o Mbh = 0 and r-g- = 0, this must be equal to 0, 
a contradiction. This proves the claim. Therefore, the choice of at least one Pj 
where yf 0 remains unknown to the adversary and is made randomly and 
independently of anything else. This can be used when building a simulator for 
an adversary: when he corrupts a player, what we have to do is essentially to 
come up with a random share for this player of each shared value. Each such 
share must be consistent with what the adversary already knows. By the above, 
this can be handled independently for each shared value, and so can be easily 
done by solving a system of linear equations. 

7 MPC Secure against Active Adversaries 

To prove Theorem 3, it is sufficient to construct for each MSP At = (K, M, ip) 
computing a function /, an efficient protocol that is secure against an ac- 
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tive ^/-adversary. Since Q^“functions are in particular we can assume by 
Theorem 7 without loss of generality (or efficiency) that A4 is multiplicative. 

Like in some previous protocols, the basic approach is to ensure that all 
players are committed to the values they hold, and to have them prove that 
they are performing their local operations correctly. In what follows, we use a 
generic commitment scheme and auxiliary protocols as in Section 5. 

7.1 The CMP Protocol 

We need an additional primitive, namely a Commitment Multiplication Protocol 
(CMP). Such a protocol starts from commitments [a]i, [b]i, [c\i and allows Pi 
to convince the other players that ab = c. If Pi is corrupted, then the honest 
players should accept the proof only if = c (in the cryptographic scenario, 
an negligible error probability is allowed). If Pi remains honest, it must leak no 
information to the adversary beyond the fact that ab = c. Moreover, in the event 
that [c]i is opened, the adversary must learn nothing about a, b beyond what is 
implied by c and the other information he holds. The following CMP protocol is 
a generalization of a protocol suggested in [14] and works for any homomorphic 
commitment scheme. 

1. Inputs are commitments [a]i, [6]i, [c]i where Pi claims that ab = c. Pi chooses 
a random j3 and makes commitments [/3]i, [(3b]i. 

2. The other players jointly generate a random challenge r using standard tech- 
niques. 

3. Pi opens the commitments r[a]i + [/?]i to reveal a value ri. Pi opens the 
commitment ri[b]i — [f3b]i — r[c]i to reveal 0. 

4. If any of these opening fail, the proof is rejected, else it is accepted. 

It is easy to show that if Pi is honest, then all values opened are random (or 
fixed to 0) and so reveal no extra information to the adversary. Furthermore, if 
after committing in step 2, Pi can answer correctly two different challenges, then 
ab = c. Thus the error probability is at most l/jiLj, and the protocol can be 
iterated to reach any desired error probability. In [32] , we show that an error-free 
CMP protocol can be built based on a strongly multiplicative MSP. 

7.2 The General MPC Protocol 

The general MPC protocol starts by asking each player to VSS each of his input 
values as described above: he commits to the value and then performs CSP. A 
player failing to execute this correctly is disqualified and we take default values 
for his inputs. 

We then work our way through the given arithmetic circuit, maintaining as 
invariant that all inputs and intermediate results computed so far are VSS’ed as 
described above, i.e. each such value a is shared (using A4) by committed shares 
[ai]i, ..., [a„]„ where all these shares are correct, also those held by corrupted 
players. Moreover, if a depends on an input from an honest player, this must 
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be a random set of shares with the only constraint that it determines a. At the 
beginning, only the input values are classified as having been computed. 

Once an output value x has been computed, it can be reconstructed in the 
obvious way by opening commitments to the shares xi, This will succeed, 
as the honest players will contribute enough correct shares, and a corrupted 
player can only choose between contributing a correct share, or be disqualified by 
trying to open an incorrect value. It is therefore sufficient to show how addition 
and multiplication gates are handled. Assume the input values to a gate are a 
and b, determined by committed shares [ai]i, ..., [a„]„ and [6i]i, ..., [6„]„. 

Addition. For i = 1, ... ,n, Pi computes Oi + bi and the players (non-inter- 
actively) compute [at + bi]i. By linearity of the secret sharing and commit- 
ments, [oi -I- 5i]i, ..., [a„ -I- bn]n determine a -I- 6 as required by the invariant. 

Multiplication. For i = l..n, Pi computes Oi ■ bi = Ci, commits to it, and 
performs CMP on inputs [oi]i, [6Ji, [cji. 

Resharing step: Pi performs CSP on [cji, resulting in the commitments 
[cii]i, ■■■, [ci„]„. We describe below how to recover if Pi fails to execute this 
phase correctly. 

Recombination step: For j = l..n, player Pj computes Cj = X)r=i where 
(ri,...,r„) is a fixed recombination vector. Also all players compute (non- 
interactively) [cj]j = Y^=i = [Sr=i multiplication 

property and linearity of At, the commitments [ci]i, ..., [c„]„ determine c = 
ab as required by the invariant. 

It remains to be described what should be done if a player Pi fails to execute 
the multiplication and resharing step above. In general, the simplest way to han- 
dle such failures is to go back to the start of the computation, open the input 
values of the players that have just been disqualified, and restart the compu- 
tation, simulating openly the disqualified players. This allows the adversary to 
slow down the protocol by a factor at most linear in n. This protocol, together 
with the VSS and main MPC protocols described previously, are the basis for 
proving Theorem 3. 

The described approach for dealing with cheaters can be used only for secure 
function evaluation, but not for an ongoing secure computation. For the latter, 
one can introduce an additional level of sharings: each value a player is committed 
to in the above description is shared again among the players, with each player 
being committed to his share. 
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Abstract. Sander, Young and Yung recently exhibited a protocol for 
computing on encrypted inputs, for functions computable in NC^. In 
their variant of secure function evaluation. Bob (the “CryptoComputer”) 
accepts homomorphically-encrypted inputs (a;) from client Alice, and 
then returns a string from which Alice can extract f{x, y) (where y is 
Bob’s input, or e.g. the function / itself). Alice must not learn more 
about y than what f{x, y) reveals by itself. We extend their result to 
encompass NLOGSPACE (nondeterministic log-space functions). 

In the domain of multiparty computations, constant-round protocols 
have been known for years [BB89,FKN95]. This paper introduces novel 
parallelization techniques that, coupled with the [SYY99] methods, re- 
duce the constant to 1 with preprocessing. This resolves the conjecture 
that NLOGSPACE subcomputations (including log-slices of circuit com- 
putation) can be evaluated with latency 1 (as opposed to just 0(1)). 



1 Introduction 

We consider variants of the now-classic problem raised by Yao [Y86] in which 
Alice and Bob wish to compute f{x, y) while keeping their respective inputs x 
and y private. Roughly speaking, their computation should be as “secure” as if a 
trusted third party had accepted their inputs and provided nothing but the final 
output. This problem, Secure Function Evaluation, has a rich history of investi- 
gation, with a great deal of attention given to minimizing needed assumptions 
and communication complexity. 

CEI. One particular variant is that of Computing on Encrypted Inputs ( CEI), in 
which Alice provides Bob with encryptions of x (or its bits), and Bob must enable 
Alice to determine C{x) without revealing his “program” C . Mathematically, C 
can itself be encoded as an input to a universal circuit, hence this variant can be 
subsumed in general secure function evaluation. But the ground rules for CEI are 
somewhat different, in that Alice provides her input in the form of encryptions 
rather than through an inventor’s flexibly chosen alternative (such as indirectly 
through oblivious transfer [R81]). 

This is somewhat different than the general 2-party setting, in which encryp- 
tions can be used as an implementation tool but are not required. Moreover, the 
encryptions used in “Yao gates” and other earlier techniques are usually meant 
to encrypt random secrets that indirectly represent secret bits, as opposed to 
encrypting the secret bits themselves. (A concrete hint if this is confusing: Alice 
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often gets to learn one secret xq or another secret x\, each of which is itself 
random; but the actual value represented by this process is 0 if Alice learns xq, 
or 1 if Alice learns a:i.) 

In the general SFE setting for two parties, preprocessing obviates the need 
for “encrypted inputs” and other extra work, since a “scrambled universal cir- 
cuit” can be prepared in advance and then applied in one round as soon as 
the actual inputs become available. The challenge is therefore to achieve a one- 
round protocol without preprocessing (other than public-key initialization and 
the like). 

Recently, Sander, Young and Yung provided a novel construction that enables 
non-interactive computing on encrypted inputs for functions in namely 

functions computed by bounded-fan-in log-depth circuits. (“Non-interactive” 
means that Bob can complete his computation and return the result to Alice 
without conversation beyond receiving the initial message from Alice; obviously, 
Alice’s inputs must be communicated to Bob in some form.) Alice simply drops 
off her input, Bob processes it, and Alice picks up the results. Dubbed “crypto- 
computing” by [SYY99], this methodology has applications to mobile computing 
and other settings. 

Our contribution to non-interactive CEI (cryptocomputing) is to extend the 
class of functions to NLOGSPACE, i.c. non-deterministic logspace, a superclass 
of NC^ . This extension relies on matrix techniques from Feige, Kilian and Naor 
[FKN94], but also employs a newly contributed inversion-free reduction (§5.5) 
to compute products of secret group elements in one pass. With these methods, 
functions in NLOGSPACE can be evaluated in 1 round from scratch, answering 
a challenge left open by [SYY99], namely whether complexity beyond NC^ is 
attainable for non-interactive computing on encrypted inputs. 

MSC. Another twist on Secure Function Evaluation introduces some number 
n of parties, each holding a private input Xi, who wish to compute some func- 
tion f{x\, . . . ,Xn) [GMW86,GMW87,BGW88,CCD88]. This version, known as 
Multiparty Secure Computation (MSC), has also been the subject of extensive 
analysis. 

When “computational” security is considered (as opposed to information the- 
oretic), it is in fact possible to reduce any poly-depth circuit to a protocol with 
0(1) rounds [BMR90]. With preprocessing and complexity-theoretic assump- 
tions, those methods enable the results to be ready in one round after the inputs 
are provided, as mentioned above for the 2-party case. 

Instead, we focus on the challenge of information theoretic security. For ef- 
ficient solutions (polynomial message size and local computation), the number 
of rounds of communication is generally related to the circuit depth for /. Bar- 
Ilan and Beaver introduced techniques to reduce the computation by log-factors 
[BB89]; thus functions in NC^ can be computed in a constant expected num- 
ber of rounds. In fact, the methods from [FKN94] extend this to functions in 
NLOGSPAGE. But the 0(1) constants, while small, still exceed 1. 

Unlike the GEI setting, we do focus here on minimizing the latency of the 
computation, namely the number of rounds from when the inputs are supplied 
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to when the output is ready. In [B91] it was shown that 1-round latency for 
secret multiplication (among other things, such as multiplicative inversion) is 
achievable. 

Applying that work in a brute-force fashion to the [BB89,FKN94] solutions 
still gives a constant latency exceeding 1, because of the need to compute mul- 
tiplicative inverses prior to evaluating components of a large product. We apply 
the methods of [SYY99] to reduce the latency to 1 for NC^. The final construc- 
tion provides a particularly elegant view of multiparty computation expressed 
as a secret linear combination of inputs. 

With the inversion-free reduction described in this work, we also show how 
to achieve a latency of 1 for NLOGSPACE secret computations by avoiding the 
two-phase process in earlier works. Especially attractive is the fact that, apart 
from the preprocessing, no broadcast is needed. Thus a single dissemination 
(broadcast message without agreement) from each honest participant suffices 
for each NLOGSPACE-subcomputation. 

2 Background and Definitions 

We consider two different cases for function evaluation: the two-party case and 
the multiparty case. In the two-party case, hidden values can be represented 
through encryption, through oblivious transfer, or other such constructs. In the 
multiparty case, values can be represented through encryption, of course, but 
more interestingly through secret sharing [S79,B79]. 

It should be noted that the manipulations of these fundamental represen- 
tations - encryptions or shares - are quite similar. Thus we may speak of “se- 
cret addition” to mean a homomorphic encryption {e.g. E(a)E{b) = E{a 0 b)) 
or to mean a homomorphic additive sharing {e.g. h{x) = f{x) + g{x) from 
h{i) = f{i) + g{i)). In general, “secret (operation)” can be interpreted accord- 
ing to context, whereby the representation of the result is calculated from the 
representations of the inputs - be it encryption or sharing or otherwise. 

Likewise, the “reconstruction” or “revelation” will refer to interpolation of 
shares, or decrypting of values and propagation through trees, etc. . 

We note these observations explicitly to avoid doubling the size of the ex- 
position, since, for example, the use of multiplicative inverses will be discussed 
both in the context of encrypted-representations and shared-representations. 



2.1 Secret Sharing and Multiparty Computation 

We refer the reader to [S79,B79,GMW87,BGW88,GGD88] for more detailed ex- 
position. A secret value x can be shared among n parties, at most t of whom 
are colluding, by selecting t random coefficients at, ■■ ■ , oi and defining f{u) = 

atv} H h a\u + x. Player i receives the share f{i). With 1 0 1 correct shares, 

/(O) = X can be determined. With t or fewer shares, no information about x is 
revealed. 
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If f{u) represents /(O) = x and g{u) represents g(0) = y, then h{u) = f{u) + 
g{u) represents x + y, and shares h{i) are easily calculated without interaction 
as f{i)+g{i)- Multiplication protocols are more model-dependent, but generally 
within a small number of rounds of interaction, a polynomial representation of 
xy can be obtained as well. 

There are a variety of models to which our results apply - for example, 
f < n/2 covers one class, and t < n/3 covers another. (One can also withstand 
general adversary structures such as “Q2” and “Q3.”) Broadcast is assumed (at 
least for preprocessing) , but we place no restrictions on the computational power 
of attackers. 

For simplicity, we consider t-adversaries who make a static choice of whom 
they will corrupt at the outset, and we investigate independence rather than 
simulatability. (Generalizations are possible.) Let f{xi, . . . , x„) be a function on 
n inputs, each of size m, producing a result of size m, and described by a boolean 
circuit family Cf. A multiparty protocol for / is a collection {Pi, . . . , P„} of 
interactive Turing machines, each taking input m and a private m-bit argument 
Xi, and producing a final output yi. A t-adversary is allowed to substitute (and 
coordinate) up to t of the programs. Two inputs are P-equivalent if they are 
identical on inputs in T and evaluate under / to the same result. 

Definition 1. A protocol II = {P\, . . . , P„} for / is (information theoretically) 
t-secure if, for any coalition T C II of size |P| < t, and for any T-equivalent 
input (a;i, . . . ,x„), the view obtained by T is identically distributed. 

To complicate the analysis, we may allow the inputs Xi to be supplied at 
some round p after the protocol starts. The number of rounds of preprocessing 
(independent of inputs) is then p, and the latency is the total number of rounds 
less p. When considering protocols that divide the computation of / into “slices” 
(z.e., subcomputations), we also consider the latency of computing each slice as 
the maximal number of rounds from when the previous slice is completed to 
when the current slice is done. 

2.2 Computing on Encrypted Inputs 

In CEI, we would like to capture the challenge of dropping off encrypted inputs 
which are then manipulated in a somewhat black-box fashion to produce a re- 
sult for the client. This requires a bit more than postulating a homomorphic 
encryption scheme, as we now discuss. 

One of the earliest and most fundamental techniques for two-party circuit 
evaluation is due to Yao [Y86]. In this method. Bob prepares a scrambled circuit 
in which each gate is represented by an encrypted table (called a “Yao gate”), 
and each wire w is represented by a pair of hidden triggers, i.e. numbers wq and 
wi- The value of wire w is 0 if Alice discovers wq; it is wi if Alice discovers wi; 
in other cases it is undefined. By propagating the discovered triggers through 
each encrypted table, Alice is able to calculate the trigger for the output wire 
of the gate. She is not told how to interpret the triggers, i.e. to which bit the 
trigger corresponds - except for the final output wire. 




Minimal-Latency Secure Function Evaluation 



339 



The needed interaction is minimal, on the same order as the [SYY99] set- 
ting. Alice must obtain initial wire triggers that correspond to her secret input 
bits. This is achieved through chosen- l-out-of-2 Oblivious Transfer [R81]: Bob 
supplies Wio and wn for an input wire Wi; Alice learns precisely one, namely 
but Bob does not learn which Alice chose. Bob also sends Alice the scram- 
bled circuit. Subsequently, Alice can calculate the output value without further 
interaction. 

Given a homomorphic encryption scheme, one quick way to implement the 
OT is by way of a generalization of Den Boer’s method [dB90]. Alice sends E{c) 
where c is a bit describing her choice. Bob responds with {E{bo),E{a)/E{bo)}, 
{E{bi),E{a)E{l)/E{bi)}, with sets and members permuted randomly. Given 
proper behavior, Alice decrypts the sets to {0, 1} and {be, be}, hence she obtains 
be- The authors of [SYY99] invoke a variety of options to demonstrate good 
behavior without introducing interaction; those options apply here as well. Note 
that Bob can send the scrambled circuit along with his OT reply, making the 
whole interaction non-interactive, so to speak. 

Thus, if Bob can employ a homomorphic encryption secure against Alice, an 
immediate solution is possible for any polynomial-time /, not just one in NC^. 
This solution makes an end run around the spirit of the problem. Since it is hard 
to provide a formal test that captures whether Bob’s computations are nothing 
“more” than a manipulation of encrypted values (there are a lot of clever and 
indirect things he can do), we turn to a simple requirement: the protocol must 
be information-theoretically secure against Alice. 

Definition 2. A CEI protocol for function f represented by circuit Cf is a 
two-party protocol consisting of a message from Alice to Bob followed by one in 
return. The protocol is correct if for all inputs (x, y), Alice’s output is f{x, y) ex- 
cept with negligible probability. A CEI protocol zs private if it is computationally- 
private against Bob and information-theoretically private against Alice. 



Concrete Examples of Encryptions. A couple of common encryptions make 
suitable candidates. One is the Goldwasser-Micali encryption [GM84] in which 
is a public Blum integer with a private key consisting of its factors P, Q. Bit b 
is encrypted as (— l)^r^ for a random r. This is secure assuming that quadratic 
residues are indistinguishable from non-residues (the Quadratic Residuosity As- 
sumption, or QRA). 

A second candidate is a variant of El-Gamal encryption with primes P, Q 
satisfying P = 2Q -\- 1, and a generator g of ZjQZ. Gorresponding to private 
key X is the public key y = g’” . To encrypt message m taken from the space of 
quadratic residues, compute {g’',y’'m}. Encryption of 0 and 1 uses two fixed, 
public quadratic residues uiq, mi. The security of this method is equivalent to 
Decision Difhe-Hellman [TY98,NR97]. 

In each of these cases, given some E{b), it is easy to see how to sample 
random encryptions uniformly from the set of all encryptions of b, or of 1 — b, 
even without knowing b. 
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3 Pyramid Representation 

The foundation for the recent 1-round protocol of Sander, Young and Yung is 
an ingenious tree representation for a circuit output. We will build multiparty 
protocols around their architecture, thus we give details here; the familiar reader 
can skip to the next section. 

Let us coin the term pyramid representation to describe the data structure 
employed in [SYY99]: a complete 4-2 tree, i.e. a tree with degree 4 at root and 
even-level nodes, and with degree 2 at all odd-level nodes. We take the root to 
be level 2d and the leaves to be at level 0. There are 8*^ leaves. 

There are three important aspects to the SYY construction. First, the nodes 
can be evaluated in terms of a given circuit, resulting in the root being assigned a 
value equal to the output of the circuit. Second, the pyramid representation can 
be constructed from encrypted leaf values without knowing what the cleartext 
bits are. Third, the pyramid representation can be randomized so that it appears 
chosen uniformly at random from all such representations that evaluate to the 
given root value. 

The authors of [SYY99] refer to the construction and randomizing as inat- 
tentive computing, suggesting that the party who performs the tasks need not 
pay attention to the actual values themselves. The manipulations are oblivious 
to the contents. 

Decoding. In slightly more detail for completeness, we first summarize how 
evaluation/decoding takes place, given bit assignments to the leaves. (Ultimately, 
each leaf corresponds to an encryption, and the value of the leaf node is the 
decrypted bit.) Propagating upward, a node at level 2fc -I- 1 has two children, 
(a, 6), and is assigned the value a 0 6. A node at level 2k has four children 
(a,b,c,d), and is assigned the value 0 if three are labelled 0 and one is 1, or 
respectively 1 if three children are labelled 1 and one is 0. (All other cases are 
syntactically unacceptable and are given an undef label.) This three-of-one-kind 
representation is critical. 

Construction. To construct a pyramid representation of the value of some 
function / applied to input bits a;i, . . . , one must apply the gates of a circuit 
Cf for / to the nodes in the representation. Inputs and constants lie at the 
leaves. Without loss of generality, express Cf as NOT and OR gates. We briefly 
summarize the SYY construction using the following procedures, which depend 
on the level of the node in the tree: 

— NOT(a;:level 0) gives y:level 0. 

• set y = a; 0 1. (Later, 0 and 1 may be encoded by (0, 1) and (1, 0), in 
which case this is operation is instead a swap.) 

— NOT(a;:level 2k 0 2) gives y:level 2k 0 2. 

• return ((not(oi), 02 ), (not(5i), 62 ), (not(ci), C 2 ), (not(c?i), c?2)), where 

X = ((oi, 02), (61, 62), (ci, C2), (di,d 2 )). 

— OR(a;:level 2fc,y:level 2k) gives z:level 2k 0 2. 

• return ((a;, 0), (y, 0), (a;, y), 1') where 0 denotes a level 2k zero, and 1' 
denotes a level 2fc 0 1 one. 
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The ingenious motivation behind the three-of-one-kind representation is now 
more clear. Negating each individual bit in the multiset {0, 0, 0, 1} provides a 
three-of-one-kind result {1,1, 1,0}, and vice versa. More importantly, the re- 
sults of the OR routine are always in a three-of-one-kind configuration, when 
interpreted at a higher level. Explicitly: 



X 


M 


(31,0) 


(y,o) 


{x,y) 


1’ 


OR 


0 


0 


0’ 


0’ 


0’ 


1’ 


{O’, O’, O’, 1’} 


0 


1 


0’ 


1’ 


1’ 


1’ 


{0’,l’,l’,l’j 


1 


0 


1’ 


0’ 


1’ 


1’ 


{l’,0’,l’,l’j 


1 


1 


1’ 


1’ 


0’ 


1’ 


{l’,l’,0’,l’j 



where the primed values are interpreted at the next layer up ((0,0) and (1, 1) 
are written O’, etc.). 

Randomization. [SYY99] show that the following straightforward method turns 
a particular pyramid representation of some result z into a randomly-chosen valid 
pyramid representation of z, thereby hiding the inattentive steps used to con- 
struct the original representation. The randomization method is itself inattentive 
to the contents of the pyramid. 

— RANDOMiZE(a;:level 2k + 2) gives y:level 2k + 2. 

• let X be ((a;ii, a;i2), (a;2i, 3:22), (a^ai, 3:32), (3:41, 3:42)); 

• for i = 1..4 and j = 1..2, set hij ^ RANDOMiZE(3;ij); 

• for i = 1..4, set Ci by random choice to be {bn , bi 2 ) or (NOT(6ii),NOT(5i2)); 

• choose random permutation ct G 54 and return (co-(i), Co-( 2 ), Co-( 3 ), Co-( 4 )). 



3.1 Non-interactive Computing on Encrypted Inputs 

In the [SYY99] paper, this construction is applied to encrypted inputs. That is, 
Alice presents CryptoComputer Bob with encryptions E{xi) of each of her input 
bits Xi, along with their inverses E{1 — Xi). This enables Bob to create the level 
0 leaf labels. Note that Bob can also encrypt his secret inputs Xj, as well as any 
known constants, thereby filling in any other needed labels. 

Now, without knowing the contents of the encryptions, Bob can invoke the 
NOT and OR routines, and finally the randomize routine. The result is a pyramid 
representation whose root value is f{x, y). Bob sends this to Alice. 

Alice is able to decrypt the labels on the leaves and can subsequently evaluate 
the root value. 



4 Multiparty Secure Computation 

With the pyramid data structure in place, we are now ready to give a multiparty 
secure computation for NC^. 
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4.1 Latency vs. Cost: Circuit Randomization 

When calculating from scratch, our MSC results will generally incur a minimal 
cost of one secret multiplication. While still better than previously published 
results, this falls short of the most desirable bound of 1 round, period. 

Instead, we focus on latency, defined as the number of rounds from when 
the inputs to a computation phase are provided until the output (whether secret 
or public) is complete. Preprocessing is acceptable (and likely required), but it 
must be independent of the inputs to be used. 

Latency is particularly important when evaluating a depth-D circuit using 
(log n)-slices to speed up the number of rounds. A brute-force approach would 
normally require CD/\ogn) multiplications with C much larger than 1 (and 
even including our results below, it would be at least D/\ogn multiplications). 
If, however, the later slices benefit from preprocessing that is performed during 
the first slice, then the net running time can be drastically reduced. That is, one 
multiplication plus D — \ rounds is far better than D sequential multiplications. 

One way to improve latency was shown by Beaver, using a technique called 
circuit randomization [B91]. With appropriate preprocessing, this enables each 
secret multiplication to finish in one round, an order of magnitude faster than 
the cost of a secret multiplication from scratch. 

The preprocessing is simple, consisting of computing secret products on se- 
cret, random inputs. Thus, for example, secrets a, b, c with c = ah are created 
in advance. When x and y are ready to be multiplied, the differences (“correc- 
tions”) Ax = X — a and Ay = y — b are published. The “correction” to c, namely 
Az = xy — c, then becomes a straightforward linear combination with public 
coefficients (the Ax, Ay values). The bottom line is that secret multiplication 
has a latency of 1 round. 

We shall see below that the same conclusion applies to (and to 

NLOGSPACE): secret NC^ computations have a latency of 1 round. Interest- 
ingly, the following result can be derived in different ways, with or without the 
recent SYY methods. 

Claim. Let / be represented by a circuit Cfoi polynomial size. There exists a 
secure MSC protocol to compute NC^ slices of Cf with a latency of 1 round. 



4.2 NCI via Secret Quadratic Forms and SYY 

The first of two ways to achieve Claim 4.1 employs [SYY99] with secretly shared 
values in place of encrypted bits. The “inattentive” creation of a pyramid rep- 
resentation on secrets is done as a multiparty computation in a straightforward 
manner. 

The calculation of NOT at level 0 is simple: non-interactively compute 1 — x 
secretly. Second, the randomize step can be calculated using a secret quadratic 
form applied to the inputs - or in other words, a “linear” combination of input 
values in which the coefficients are themselves secrets. These coefficients are 
chosen randomly but with certain restrictions. 
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There are only two steps in randomize in which random choices are made. 
In the 2 -party Computing on Encrypted Inputs setting, the “CryptoComputer” 
would make these choices and ensure that they remain secret. In the MSC ap- 
plication, these choices are also kept secret. We must ensure that they can be 
selected and applied efficiently. 

Referring to § 3 , there are two main steps for applying random choices. First 
is the choice between {bn^ba) and (NOT(6ii), NOT(6i2)). This choice can be ex- 
ecuted by creating a new secret bit di, then setting (at leaves): 

bi~i — diXil “t“ (1 d^)(l Xi\^ 

bi2 = diXi2 + (1 - di){l - Xa) 

The manipulation at higher level nodes is similar: the multiplication by di is 
propagated to the children. 

Similarly, the random selection of a permutation from S4 can be modelled 
by a secret permutation matrix A = [a^], so that the resulting quadruple is 
(yi, 2/2, V3, Va) where yi = UijCj. 

At each odd-level node in the pyramid representation, then, a secret random 
bit is generated. At each even-level node above 0 , a secret random 54 permutation 
is generated. 

If these operations are composed, the result is a collection of coefficients 
Cij such that leaf i is Cio + ^jCijXj. These coefficients are products of the 
coefficients assigned on the path down to leaf i. Thus they can be efficiently 
calculated (secretly, of course) in a preprocessing phase. 

Noting that [B 91 ] enables quadratic forms on secrets to be evaluated with 
1 -round latency. Claim 4.1 is satisfied. 

4.3 Some Details 

For concreteness, here are some ugly programming steps for the protocol. The SYY 
construction induces at each node a tree with formulas in it. One can apply a syntactic 
NOT operation to a leaf label s by replacing s by 1 — s. One can apply a NOT to 
a higher node by applying NOT recursively to each of the left grandchildren (as in 
SYY). One can also perform linear combinations recursively on two trees of formulas 
in a direct manner: 

(tsite), {t7,ts)) + 6((mi,M2), (ms,M4), (us,ue), (m7,ms)) = 
((ati -I- bui, at 2 -|- 6 U 2 ), {ats -I- bus, ati A bus), 

(ats -I- bus, ate +bue), {atr -|- fou?, ats + bug))- 

The first (non-interactive) preparation creates a raw tree of formulas: 

1. Start with circuit Cf which is applied to input bits xi, . . . ,Xm- 

2. Create a raw pyramid program: Each node contains a tree of formulas using xds 

and constants. Place xds and constants at the leaves according to Cf. Propagating 

upward, create a formula tree at each node according to the Construction in 3. 

(For example, at level 2, OR(NOT(®i),a; 2 ) would be labelled with the formula tree 

((1 - ®1, 0), (X2, 0), (1 - Xl,X2), (0, 1).) 
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The second (non-interactive) preparation adds symbols that correspond to the ran- 
domization: 

1. For each odd-level node v, create symbol d{v). For each even-level node v, create 

16 symbols a(v,i,j) for 1 < i,j < 4. 

2. Create a randomized pyramid program: Propagating upwards from leaves, apply 

randomization symbols. 

2A. Replace the cnrrent T by T' = d{v)T -|- (1 — d{v))NOT{T). (This involves 
recursively applying d{v) symbols and NOT’s; the result is a tree of formulas 
over inputs, constants, and di’s.) 

2B. Now say the cnrrent T is ((6n, 612), (621, 622), (631, 632), (641, 642))- Replace bim 
with o(^^i (Again, the a(v, l,j) symbols trickle to the leaves.) 

The resnlt is a pyramid of formulas in which each formula can be written as Cio + 
where the C’s are formnlas on the randomization symbols and constants 

alone. 

This gives an 0(8‘*)-sized “program” for the preprocessing phase, where d is the 
circnit depth of C/. Generate random secret bits for each of the d(v) symbols. Generate 
random secret permutation matrices for each set {a(i>, i,j)}- Evaluate each Cio and Cij 
secretly. The preprocessing takes constant rounds. 

We now have a pyramid in which each leaf i contains an expression Cio +"^j CijXj. 
Following the approach of [B91], these results can be precomputed at random values 
Xi. When the Xj inputs are provided, “corrections” (xi — Xi) are announced, corrections 
to the pyramid entries are disseminated (no broadcast /agreement needed), and each 
player then calculates the entries himself. Each player then evaluates the pyramid 
according to the instructions of [SYY99] (see §3). 



Preparing the Coefficients. We digress with a few remarks on alternatives 
for obtaining the Cij coefficients. Several avenues present themselves: 

— generation by precomputation; 

— generation by Trusted Third Party (TTP) or Server; 

— generation by composition. 

The previous section considered precomputation. 

In a hybrid model more akin to [SYY99], one can rely on a TTP who supplies 
secret shares of the coefficients to the participants. While zero-knowledge proofs 
can ensure correctness {i.e. the coefficients are a proper permutation), one must 
trust that the TTP does not leak the coefficients. This trust model is similar to 
the CryptoComputer model of [SYY99]; secrecy relies on maintaining secrecy of 
the RANDOMIZE step. 

Finally, verified sets of coefficients from the TTP’s can be composed. This 
corresponds to allowing each TTP to execute the randomize step. As long as 
one TTP maintains discretion, the conclusions of [SYY99] will apply and the 
results will be secure. Of course, if the TTP’s are taken to be the participants 
themselves {eg. f-l- 1 of them), then a secret matrix product on several matrices 
is required, which gets us back to the initial problem. 




Minimal-Latency Secure Function Evaluation 



345 



5 Matrix Representations 

We present a background for matrix-based computing and finish the section with 
our new inversion-free reduction. 

5.1 Secret Group Operations 

The following subroutines are applicable to 2-party and to multiparty settings. 
Note that the group need not be abelian, thus matrices are perfectly fine can- 
didates. The costs are 0(1) multiplications; hence if secret multiplication takes 
0(1) rounds, the net cost is 0(1) rounds. (As described later, secret multiplica- 
tion generally has 1-round latency after preprocessing, so these routines are very 
short in terms of latency.) 

Inverses. The authors of [BB89] demonstrated how to compute a secret inverse 
of a secret group element X in 0(1) multiplications using the following trick: 
choose secret element U; secretly calculate Y = XU and reveal Y; publicly 
calculate Y~^] secretly multiply Z = UY~^ . Clearly, Z = yet Y is dis- 

tributed uniformly at random, revealing nothing about X (as long as U remains 
uncompromised) . 

Polynomial-Length Products. Let Mi,... , Miv be secret group elements. 
The goal is to calculate M = Mi secretly. The following application (with 
minor differences) arose in [K88,K90] and [BB89]: 

M = Rq ^ RqMiR^ ^ R 1 M 2 R 2 ^ • R]^ —\M]^ Rj^ R]^ 

where Ro , . . . , Rn are secret, random, invertible group elements (i?o can be 
set to the identity). Let Si = Ri-\MiR~^ . Then the set {^i}, if made public, 
reveals nothing about {Mi}; it appears uniformly random, subject to producing 
the same overall product. 

A protocol that follows this structure (compute i?j’s and inverses, compute 
and reveal Si’s) will incur 0(1) multiplications plus the cost of generating ran- 
dom invertible elements. It will nevertheless exceed 1 round. 

5.2 3x3 Products for NCI 

Building on a result of Barrington [B86] , Ben-Or and Cleve [BC88] showed that 
NC^ computations are equivalent to products of polynomially-many 3x3 ma- 
trices. In their representation, inputs are supplied as an identity matrix with the 
top right (1,3) zero replaced by the input value. The final result is also read 
from the (1,3) entry of a specified product of such “input” matrices interspersed 
with certain constant matrices. In fact, the final product is simply an identity 
matrix with the top right zero replaced by f{x \, . . . , x„). 

Without going into further detail, we mention simply that the number of 
matrices involved in a depth-d computation will be some N = 0(4*^), and that 
each matrix is either a well-known constant or simply contains an input variable 
(possibly negated) in the (1,3) entry as above. 
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5.3 TV X TV Products for NLOGSPACE 

More recently, Feige, Kilian and Naor [FKN94] described how to formulate 
NLOGSPACE computations as a product of TV x TV matrices, where TV is poly- 
nomial in the input size. In their setup, the top right (1, TV) entry of the final 
product M indicates the final output: 0 if the entry is zero, or 1 if the entry is 
nonzero. 

Because [FKN94] used the TV x TV construction to solve a slighly different 
task, in which Alice and Bob provide sufficient data to a Combiner so that the 
Combiner can calculate f{x, y) without learning x and y, they also focused on 
leaving /(a;, y) (and nothing else) in the output. While this occurs automatically 
in the 3x3 matrix case (for TVC^), [FKN94] had to provide additional secret 
matrices Ql and Qfl to randomize the final product matrix. With Ql and Qfl of 
a particular, randomized form, they showed that QlMQji was uniformly random 
subject to the entry at (1,TV) being either zero if the output was 0 or random 
and nonzero if the output was 1. 

It is not hard to verify that secret Ql and Qr matrices can be generated in 
a constant expected number of rounds. 

5.4 Direct Output or Slice Output 

There is a distinction between producing the final result of a function in some 
public fashion (known to one or more parties) and producing a secret repre- 
sentation of the final result. The latter can be used to speed up larger circuit 
evaluations by slicing them [K88,K90,BB89] into (for example) log-depth layers. 

In any case, it is often simple to convert a direct-output computation to one 
that preserves the output as a secret for input to further computation. Simply 
create an additional secret r, directly output the result of /() — r, and implicitly 
add the public value /() — r to the secretly represented r. 

(This does not obviate the use of Ql and Qr in [FKN94], however, since there 
are a host of other entries (TV^ — 1 of them, in fact) whose public revelation may 
compromise sensitive information. Their approach was to open the final matrix 
completely. ) 

5.5 Multiplication without Secret Inverses 

One of the difficulties with using the matrix multiplication methods described 
in §5.1 is that they are prima facie interactive in nature. To calculate an inverse, 
one must publicly reveal the randomized product, which is then interactively fed 
back into another pass. To calculate a long product of elements, one first reveals 
the intermediate products of triples, then calculates their product and feeds it 
back into another phase (multiplying by secrets on left and/or right). 

Here, we propose an inversion-free reduction from a product to a list of 
publicized matrices which can be combined to calculate the original product. 
(While no inversions are needed in the reduction, some of the resulting matrices 
must be inverted before multiplying them together.) 
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Starting with a polynomial-length product M = Y\Mi, we create secret, 
invertible elements i? 0 j ■ ■ • , Rn as before. But now, also create secret, invertible 
elements Rq, . . . ,Rn- Write: 

M = (Ro){RoRo)-\RoMiRi){RiRi)-\RiM2R2) ■ • • 

• • • {Rn-iRn-i)~^ {Rn-iMn Rn){RnRn)~^ (Rn) . 



Let Si = Ri-iMiRi, and let Si = RiRi- Then: 

M = • --S^USnS^^Rn. 

It is not hard to generalize [K88,K90,BB89] to show that each Si and Si leaks 
no information. Define S = S^^ SiS^^ S 2 ■ • • SJi\-^^SnSJi^ . Then M = RqSRn- 
While inverses are applied to the public values {S~^), no inversion is required 
to reduce the original product secretly to the list of public multiplicands. 

6 Multiparty Secure Computation Revisited 

6.1 Achieving NCI for Multiparty Secure Computation 

Claim 6.2 can now be demonstrated by an alternative approach. The inversion- 
free reduction of §5.5 enables MSC protocols with 1-round latency for NC^ 
without relying on [SYY99], as the following indicates. Precompute the Ri and 
Ri matrices and reveal the Si values. 

Let I{i) be the index of the secret input variable appearing in matrix Mi 
(if any). When each RiMiRi^i product is expanded, each of the nine entries 
{sifc/}i<fc,/<3 in is of the form aiki+PikiXi(i). (If no variable appears, /3jfc/ = 0.) 
Secretly precompute the um and j3iki values. 

Finally, when the input variables are supplied, it remains to publish each 
C(iki + (3ikixi(i) in order to reveal the Si matrices. This involves a single mul- 
tiplication, which the methods of [B91] reduce to latency 1. (The product is 
precomputed on random inputs; the single round consists of disseminating an 
adjustment to the precomputed result.) 

At this point, the Si and Si matrices have been revealed. The overall result 
can be evaluated without further interaction, or fed secretly into the next layer 
of computation. 



6.2 Achieving NLOGSPACE for Multiparty Secure Computation 

The generation of secret nonsingular N x N matrices, and appropriate secret 
Ql and Qr matrices, can be done in expected 0(1) rounds. Thus we find (as 
already claimed in [FKN94]) that there is a secure multiparty protocol for any 
NLOGSPACE function, using expected 0(1) rounds. But we can now strengthen 
that conclusion by applying the methods of the previous section to N x N 
matrices: 
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Claim. Let / be represented by a composition of D NLOGSPACE-computable 
functions each with output size polynomial in the size of /’s input. There exists 
a secure MSC protocol to compute each NLOGSPACE-computable subfunction 
with a latency of 1 round. The overall protocol incurs D -\- 0(1) rounds. 

7 Two Parties: Computing on Encrypted Inputs 

In the case of Computing on Encrypted Inputs, we do not have the flexibility 
to allow preprocessing. Instead, we turn back to the [SYY99] for bootstrapping 
the product of x matrices. 

The selection of random, secret, nonsingular matrices, and the individual 
computation of each of the Ql, Qri Si and Si matrices can be performed in 
NC^. Note that input bits and extra random bits are re-used in different, parallel 
sub-executions. 

Thus, on a higher level, the protocol for NLOGSPACE consists of some num- 
ber N of executions of various NC^ calculations. These calculations provide Alice 
with the values for Ql, Qr, Si and Si, which in turn enable her to compute the 
final bit. According to the proofs presented in [FKN94], these matrices provide 
no extra information. More details are below. 



7.1 Computing NLOGSPACE on Encrypted Inputs 

For a given function / in NLOGSPACE, the construction in [FKN94] produces 
a pair of adjacency matrices, A and B. The binary entries in A depend only 
on Alice’s inputs (or on no inputs at all), and the entries in B depend only 
on Bob’s inputs. The (1, A) entry of (AB)^ will be nonzero if and only if the 
result of / is 1; otherwise / is 0. To hide the other entries in (AB)^ , which 
may leak information, two extra secret matrices Ql and Qr are used, and the 
desired product is M = Ql{AB)^Qr. Bob will enable Alice to find the product 
of these 2N -I- 2 A x A matrices. 

In our application, only Alice will learn the Si and Si matrices. Unlike other 
settings, this permits us to have Bob learn or set the randomizing matrices 
himself, as long as Alice doesn’t. 

1. For each input bit Xi held by Alice, Alice encrypts and sends E{xi) to Bob. 

2. Bob selects 2A-I- 1 random Ri matrices and 2A-I- 1 random Ri matrices (set 
R2N+2 = R2N+2 = !)■ Bob selects Ql and Qr at random according to the 
constraints in [FKN94]. He sets matrix B according to the inputs to / that 
he holds. Let M\ = Ql, M^n+2 = Qr, and for z = 1..A let M2i = A (values 
unknown to Bob) and M^i+i = B. 

3. Bob invokes A instances of the [SYY99] protocol. In instance z he uses 

Alice’s encryptions to evaluate (for Alice) the result S^i = R^i-iM^iR^i- 
In addition. Bob directly sends the following results to Alice: = QlRi, 

S2N+2 = R 2 N+iQrR 2 N+ 2 , S2i+i = R2iBR2i+i for 1 < z < A, and Sj = 
RjRj for 1 < j < 2A -|- 2. 
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4. Alice receives pyramids for S 2 i {I < i < N) and calculates 821 accordingly. 
She then calculates M = ^ • • • 5^^_|_^52Ar-i-2<S^jv-i-2- entry (1, N) in M 

is nonzero, Alice outputs 1, else she outputs 0. 

By inspection, the protocol takes one round. By arguments in [FKN94] and 
[SYY99], Alice’s view of the pyramids and the direct matrices provides her no 
greater knowledge than the final result itself (from which she can construct the 
view). The product is clearly correct. 

8 Closing Remarks 

We have extended the reach of earlier results by applying new parallelization 
constructs. Two results obtain. Multiparty Secure Computation can be speeded 
up by creating subtasks of complexity NLOGSPACE, where the latency of com- 
puting each subtask is not just 0(1) but exactly 1. Likewise, Computing on En- 
crypted Inputs can be achieved non-interactively for functions in NLOGSPACE, 
not just NC^ . 

We presented two approaches to achieving NC^ computations for MSC with 
l-round latency. One, based on [SYY99], has message size complexity of 0(8‘^) 
(where d is circuit depth). The other requires 0(4*^). On closer inspection, the 
culprit seems to be the use of (0, 1)/(1, 0) representations. In the MSC applica- 
tion, it can be removed, collapsing the SYY pyramid to size 0(4*^). It is remark- 
able that two distinct constructions converge to the same complexity, which may 
suggest a deeper relationship. 
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Abstract. One of the basic problems in cryptography is the generation 
of a common secret key between two parties, for instance in order to com- 
municate privately. In this paper we consider information-theoretically 
secure key agreement. Wyner and subsequently Csiszar and Korner de- 
scribed and analyzed settings for secret-key agreement based on noisy 
communication channels. Maurer as well as Ahlswede and Csiszar gen- 
eralized these models to a scenario based on correlated randomness and 
public discussion. In all these settings, the secrecy capacity and the 
secret-key rate, respectively, have been defined as the maximal achiev- 
able rates at which a highly-secret key can be generated by the legitimate 
partners. However, the privacy requirements were too weak in all these 
definitions, requiring only the ratio between the adversary’s information 
and the length of the key to be negligible, but hence tolerating her to ob- 
tain a possibly substantial amount of information about the resulting key 
in an absolute sense. We give natural stronger definitions of secrecy ca- 
pacity and secret-key rate, requiring that the adversary obtains virtually 
no information about the entire key. We show that not only secret-key 
agreement satisfying the strong secrecy condition is possible, but even 
that the achievable key-generation rates are equal to the previous weak 
notions of secrecy capacity and secret-key rate. Hence the unsatisfactory 
old definitions can be completely replaced by the new ones. We prove 
these results by a generic reduction of strong to weak key agreement. 
The reduction makes use of extractors, which allow to keep the required 
amount of communication negligible as compared to the length of the 
resulting key. 



1 Introduction and Preliminaries 

1.1 Models of Information-Theoretic Secret-Key Agreement 

This paper is concerned with information-theoretic security in cryptography. 
Unlike computationally-secure cryptosystems, the security of which is based on 
the assumed yet unproven hardness of a certain problem such as integer factoring, 
a proof without any computational assumption, based on information theory 
rather than complexity theory, can be given for the security of an information- 
theoretically (or unconditionally) secure system. 
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A fundamental problem is the generation of a mutual key about which 
an adversary has virtually no information. Wyner [18] and later Csiszar and 
Korner [10] considered the natural message-transmission scenarios in which the 
legitimate partners Alice and Bob, as well as the adversary Eve, are connected by 
noisy channels. In Csiszar and Korner’s setting, Alice sends information (given by 
the random variable X) to Bob (receiving Y) and to the opponent Eve (who ob- 
tains Z) over a noisy broadcast channel characterized by the conditional distribu- 
tion Pyz\x- Wyner’s model corresponds to the special case where X ^ Y ^ Z 
is a Markov chain. 

The secrecy capacity C s{Py z\x) of the channel Pyz\x has been defined as 
the maximal rate at which Alice can transmit a secret string to Bob by using 
only the given noisy (one-way) broadcast channel such that the rate at which the 
eavesdropper receives information about the string can be made arbitrarily small. 
More precisely, the secrecy capacity is the maximal asymptotically-achievable 
ratio between the number of generated key bits and the number of applications 
of the noisy broadcast channel such that Eve’s per-letter information about the 
key is small. 

As a natural generalization of these settings, Maurer [13] and subsequently 
Ahlswede and Csiszar [1] have considered the model of secret-key agreement by 
public discussion from correlated randomness. Here, two parties Alice and Bob, 
having access to specific dependent information, use authentic public communi- 
cation to agree on a secret key about which an adversary, who also knows some 
related side information, obtains only a small fraction of the total information. 
More precisely, it is assumed in this model that Alice and Bob and the adversary 
Eve have access to repeated independent realizations of random variables X, Y, 
and Z, respectively. A special example is the situation where all the parties re- 
ceive noisy versions of the outcomes of some random source, e.g., random bits 
broadcast by a satellite at low signal power. 

The secret-key rate S{X; EjjZ) has, in analogy to the secrecy capacity, been 
defined in [13] as the maximal rate at which Alice and Bob can generate a secret 
key by communication over the noiseless and authentic but otherwise insecure 
channel in such a way that the opponent obtains information about this key only 
at an arbitrarily small rate. 

Note that Maurer’s model is a generalization of the earlier settings in the 
sense that only the correlated information, but not the insecure communication 
is regarded as a resource. In particular, the communication can be interactive 
instead of only one-way, and the required amount of communication has no in- 
fluence on the resulting secret-key rate. These apparently innocent modifications 
have dramatic consequences for the possibility of secret-key agreement. 

1.2 The Secrecy Capacity and the Secret-Key Rate 

The precise definitions of Cs{Pyz\x) and of S{X; YjjZ) will be given later, but 
we discuss here some of the most important bounds on these quantities. Roughly 
speaking, the possibility of secret-key agreement in Wyner’s and Csiszar and 
Korner’s models is restricted to situations for which Alice and Bob have an 
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initial advantage in terms of Pyz\Xi whereas interactive secret-key generation 
can be possible in settings that are initially much less favorable for the legitimate 
partners. 

It was shown [10] that Cs{Pyz\x) > maxp^ (I{X;Y) — I{X;Z)), where 
the maximum is taken over all possible distributions Px on the range X of 
X, and that equality holds whenever I{X] Y) — I{X; Z) is non-negative for all 
distributions Px- On the other hand, it is clear from the above bound that if 
U^X^YZ is a, Markov chain, then Cs{Pyz\x) > I{U\ Y) — I{U; Z) is also 
true. If the maximization is extended in this way, then equality always holds: 

Cs{Pyz\x) = ^ max {I{U;Y) - I{U; Z)) (1) 

Fux '■ u -^X -^Y Z 

is the main result of [10]. It is a consequence of equality (1) that Alice and Bob 
can generate a secret key by noisy one-way communication exactly in scenarios 
that provide an advantage of the legitimate partners over the opponent in terms 
of the broadcast channel’s conditional distribution Pyz\x- 

The secret-key rate S{X-,Y\\Z), as a function of Pxyz, has been studied 
intensively. Lower and upper bounds on this quantity were derived, as well as 
necessary and sufficient criteria for the possibility of secret-key agreement [13], 
[15]. The lower bound 

S{X-Y\\Z)> max [/(A; Y) - /( A; Z) , /(T ; A) - I{Y- Z) ] (2) 

follows from equality (1) [13]. The important difference to the previous settings 
however is that secret-key agreement can even be possible when the right-hand 
side of inequality (2) is zero or negative. A special protocol phase, called ad- 
vantage distillation, requiring feedback instead of only one-way communication, 
must be used in this case. On the other hand, it was shown in [15] that 

S{X;Y\\Z) < I{X;YiZ) := min [I{X;Y\Z)] 

holds, where I{X;Y I Z) is called the intrinsic conditional information between 
X and Y , given Z. It has been conjectured in [15], based on some evidence, that 
S{X',Y\\Z) = I{X',Y[Z) holds for all Pxyz, or at least that I{X-,Y[Z) > 0 
implies S{X-,Y\\Z) > 0. Most recent results suggest that the latter is true if 
[A’l -I- l3f| < 5, but false in general [11]. 

1.3 Contributions of this Paper and Related Work 

In all the mentioned scenarios, the conditions on the resulting secret key were 
too weak originally. As it is often done in information theory, all the involved 
quantities, including the information about the key the adversary is tolerated to 
obtain, were measured in terms of an information rate, which is defined as the 
ratio between the information quantity of interest and the number of indepen- 
dent repetitions of the underlying random experiment. Unfortunately, the total 
information the adversary gains about the resulting secret key is then, although 
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arbitrarily small in terms of the rate, not necessarily bounded, let alone negli- 
gibly small. The reason is that for a given (small) ratio e > 0, key agreement 
with respect to the security parameter e is required to work only for strings of 
length N exceeding some bound fVo(e) which can depend on e. In particular, 
No{e) • e ^ oo for e — > 0 is possible. Clearly, this is typically unacceptable in 
a cryptographic scenario. For instance, the generated key cannot be used for a 
one-time-pad encryption if all parts of the message must be protected. 

Motivated by these considerations, stronger definitions of the rates at which a 
secret key can be generated are given for the different scenarios. More specifically, 
it is required that the information the adversary obtains about the entire key be 
negligibly small in an absolute sense, not only in terms of a rate. In the setting 
of secret-key agreement by noiseless public discussion from common information 
it is additionally required that the resulting secret key, which must be equal for 
Alice and Bob with overwhelming probability, is perfectly-uniformly distributed. 

The main result of this paper is a generic reduction from strong to weak 
key agreement with low communication complexity. As consequences of this. 
Theorems 1 and 2 state that both for the secrecy capacity and for the secret- 
key rate, strengthening the security requirements does not reduce the achievable 
key-generation rates. This is particularly interesting for the case of the secrecy 
capacity because in this model, all the communication must be carried out over 
the noisy channel. Recent advances in the theory of extractors allow for closing 
the gap between weak and strong security in this case. 

An important consequence is that all previous results on Cs{Pyz\x) and 
on S{X]Y\\Z), briefly described in Section 1.2, immediately carry over to the 
strong notions although they were only proved for the weaker definitions. The 
previous definitions were hence unnecessarily weak and can be entirely replaced 
by the new notions. 

A basic technique used for proving the mentioned reduction is privacy am- 
plification, introduced in [3] , where we use both universal hashing and, as a new 
method in this context, extractors. A particular problem to be dealt with is 
to switch between (conditional) Shannon-, Renyi-, and min-entropy of random 
variables or, more precisely, of blocks of independent repetitions of random vari- 
ables, and the corresponding probability distributions. A powerful tool for doing 
this are typical-sequences techniques. 

Similar definitions of strong secrecy in key agreement have been proposed 
already by Maurer [14] (for the secret-key rate) and by Csiszar [9] (for the 
secrecy capacity) . The authors have learned about the existence of the paper [9] 
(in Russian) only a few days before submitting this final version. In [14], the 
lower bound (3) on a slightly weaker variant of the strong secret-key rate than 
the one studied in this paper was proven. We present a substantially simplified 
proof here. In [9], a result similar to Theorem 2 was shown, using methods 
different from ours. More precisely, it was proved that the technique of [10] 
actually leads to a stronger secrecy than stated. In contrast to this, we propose 
a generic procedure for amplifying the secrecy of any information-theoretic key 
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agreement, requiring an amount of communication which is negligible compared 
to the length of the resulting key. 

1.4 Entropy Measures and Variational Distance 

We recall the definitions of some entropy measures needed in this paper. Let R 
be a discrete random variable with range TZ. Then the (Shannon) entropy H{R) 
is defined as^ H{R) '■= ~ •log(Pfl(r)). The Renyi entropy H 2 {R) 

is H 2 {R) ■■= -log(Xre'R^fl('’))- Finally, the min-entropy Hoo{R) is Hoo{R) '■= 
— logmaxre 7 ?,(Pfi(r)). For two probability distributions Px and Py on a set 
fb, the variational distance between Px and Py is defined as d{Px,Py) '■= 
{Y..^x\Px{x)-Py{x)\)/2. 

2 Secret-Key Agreement from Correlated Randomness 

In this section we define a stronger variant of the secret-key rate of a distribution 
PxYZ and show that this new quantity is equal to the previous, weak secret- 
key rate as defined in [13]. The protocol for strong key agreement consists of 
the following steps. First, weak key agreement is repeated many times. Then, 
so-called information reconciliation (error correction) and privacy amplification 
are carried out. These steps are described in Section 2.2. Of central importance 
for all the arguments made are typical-sequences techniques (Section 2.3). The 
main result of this section, the equality of the secret-key rates, is then proven in 
Section 2.4. 



2.1 Definition of Weak and Strong Secret-Key Rates 

Definition 1 [13] The (weak) secret-key rate of X and Y with respect to Z, 
denoted by S{X]Y\\Z), is the maximal i? > 0 such that for every e > 0 and 
for all N > No{e) there exists a protocol, using public communication over an 
insecure but authenticated channel, such that Alice and Bob, who receive X^ = 
[Xi , ... ,Xx] and Y^ = [Yi, , Y/v], can compute keys S and S' , respectively, 
with the following properties. First, S = S' holds with probability at least 1 — e, 
and second, 

^I{S]CZ^)<e and ^H{S)>R-e 

hold. Here, C denotes the collection of messages sent over the insecure channel 
by Alice and Bob. O 

As pointed out in Section 1.3, the given definition of the secret-key rate is unsat- 
isfactorily and, as shown later, unnecessarily weak. We give a strong definition 
which bounds the information leaked to the adversary in an absolute sense and 
additionally requires the resulting key to be perfectly-uniformly distributed. 

^ All the logarithms in this paper are to the base 2, unless otherwise stated. 
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Definition 2 The strong secret-key rate of X and Y with respect to Z, denoted 
by S{X; is defined in the same way as S{X; VjjZ) with the modifications 

that Alice and Bob compute strings Sa and Sb which are with probability at 
least 1 — e both equal to a string S with the properties 

I(S; CZ^) < e and H{S) = log \S\>N-{R-e). q 

Obviously, S{X\Y\\Z) < S{X]Y\\Z) holds. It is the goal of this section to 
show equality of the rates for every distribution Pxyz- Thus the attention can 
be totally restricted to the strong notion of secret-key rate. 



2.2 Information Reconciliation and Privacy Amplification 

In this section we analyze the two steps, called information reconciliation and 
privacy amplification, of a protocol allowing strong secret-key agreement when- 
ever I{X; Y) — I{X; Z) > 0 or I (Y ; X) — I (Y ; Z) >0 holds. More precisely, we 
show 



S{X; y||Z) > max{ /(A; F) - /(A; Z) , I{Y; A) - I{Y; Z) } . (3) 

Assume /(A; Y) > /(A; Z). The information-reconciliation phase of interac- 
tive error correction consists of the following step. For some suitable function 
h : {0, 1}^, Alice sends h{X^) to Bob for providing him (who knows Y^) 

with a sufficient amount of information about X^ that allows him to reconstruct 
X^ with high probability. The existence of such a function (in a fixed universal 
class, see Definition 3) for L on the order of N ■ H{X\Y) is stated in Lemma 1, 
a weaker variant of which was formulated already in [14]. Note that this type 
of (one-way) information-reconciliation protocol is optimal with respect to the 
amount of exchanged information and efficient with respect to communication 
complexity, but not with respect to computational efficiency of Bob. There ex- 
ist efficient interactive methods, which however leak more information to the 
adversary (see [4] for various results on information reconciliation) . 

Definition 3 [7] A class G of functions g : A — > B is universal if, for any 
distinct xi and X 2 in A, the probability that g(xi) = g(x 2 ) holds is at most 
when g is chosen at random from G according to the uniform distribution. O 



Example 1. [7] Let 1 < M < A, let a be an element of GF{2^), and interpret 
X G {0, 1}^ as an element of GF{2^) with respect to a fixed basis of the ex- 
tension field over the prime field GF{2). Consider the function ha '■ {0, 1}'^ — > 
{0,1}^ assigning to an argument x the first M bits (with respect to this basis 
representation) of the element ax of GF{2^), i.e., ha{x) := LSBm(o • x). The 
class {ha ■ a G GF(2^)j is a universal class of 2^ functions mapping {0, 1}^ 
to {0,1}“. 
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Lemma 1 Let X and Y he random variables, and let [(ATi, li), . . . , (X^, Yat)] 
be a block of N independent realizations of X and Y . Then for every e > 0 and 
e' > 0, for sufficiently large N, for every L satisfying L/N > (1 -|- e)H{X\Y), 
and for every universal class Tt of functions mapping to {0, 1}^, there exists 
a function h in Tt such that X^ = [Xi, . . . , Xat] can be decoded from Y^ and 
h{X^) with error probability at most e' . 

The proof of Lemma 1 is omitted. See [4] for the proof of a closely related result. 

In the second protocol phase, privacy amplification, Alice and Bob compress 
the mutual but generally highly-insecure string X^ to a shorter string S with 
virtually-uniform distribution and about which Eve has essentially no informa- 
tion. (Note that Eve’s total information about X^ consists of and h{X^) 
at this point.) Bennett et. al. [2] have shown that universal hashing allows for 
distilling a virtually-secure string whose length is roughly equal to the Renyi 
entropy of the original string in Eve’s view. 

Lemma 2 [2] Let W be a random variable with range W, and let G he the 
random variable corresponding to the random choice, according to the uniform 
distribution, of a function out of a universal class of functions mapping W to 
{0,1}“. Then H{G{W)\G) > H 2 {G{W)\G) > M - 2“-f^^(’^)/ln2. 

Lemma 2 states that if Alice and Bob share a particular string S and Eve’s 
information about S leads to the distribution Ps\u=u (where u denotes the 
particular value of her information U) about which Alice and Bob know nothing 
except a lower bound t on the Renyi entropy, i.e., H 2 {S\U = u) > t, then Alice 
and Bob can generate a secret key S' of roughly t bits. More precisely, if Alice 
and Bob compress S' to a (t — s)-bit key for some security parameter s > 0, then 
Eve’s total information about this key is exponentially small in s (see Figure 1). 

A natural problem that arises when combining information reconciliation and 
privacy amplification with universal hashing is to determine the effect of the 
error-correction information (leaked also to the adversary) on the Renyi entropy 
of the partially-secret string, given Eve’s information. The following result, which 
was shown by Cachin [5] as an improvement of an earlier result by Cachin and 
Maurer [6] , states that leaking r physical bits of arbitrary side information about 
a string cannot reduce its Renyi entropy by substantially more than r, except 
with exponentially small probability. 

Lemma 3 [5] Let X and Q be random variables, and let s > 0. Then with 
probability at least 1 — we have H 2 {X) — H 2 {X\Q = q) < log |Q| -I- s. 

2.3 Typical Sequences 

In the following proofs we will make use of so-called typical-sequences arguments. 
Such arguments are based on the fact that if a large number of independent 
realizations of a random variable U is considered, then the actual probability 
of the particular outcome sequence is, with overwhelming probability, close to a 
certain “typical probability.” There exist various definitions of typical sequences. 
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The definition given below corresponds to a weak notion of typicality, dealing 
only with probabilities and not with the number of occurrences of the outcome 
symbols of the original random variable U in the sequence. 

Definition 4 Let U he & random variable with probability distribution Py and 
range U, and let fV > 0. Then a sequence u = {ui,U 2 , ■ ■ ■ , un) € is called 
(weakly) <5-typical if < Pun{u) < ^ q 

Lemma 4 states that if N is large enough, then , distributed according to 
Pi/N = Pff which corresponds to N independent realizations of U, is (5-typical 
with high probability. More precisely, the probability of the “non-typicality” 
event tends to zero faster than 1/fV^. This follows immediately from Theo- 
rem 12.69 in [8]. 

Lemma 4 [8] For all S,e > 0, we have N ■ (Prob [U^ is not S -typical])^ < e 
for sufficiently large N . 

As a first step towards proving equality of the secret-key rates with respect 
to the weak and strong definitions, we show that the weak definition can be 
extended by an additional condition requiring that the resulting key is close-to- 
uniformly distributed. More precisely. Lemma 5 states that the condition 

^H{S)>^\og\S\-e (4) 

can be included into the definition of S{X]Y\\Z) without effect on its value. 
(Note that the condition (4) is much weaker than the uniformity condition in 
the definition of S{X;Y\\Z).) 

Lemma 5 Let the uniform (weak) secret-key rate Su{X]Y\\Z) he defined simi- 
larly to S{X]Y\\Z), but with the additional condition (f). Then Su{X]Y\\Z) = 
S{X-,Y\\Z) holds. 

Proof. The idea is to carry out the key-generation procedure independently many 
times and to apply data compression. More precisely, secret-key agreement with 
respect to the definition of S{X;Y\\Z) is repeated M times. Clearly, we can 
assume that the resulting triples [Si, S[, {Z^ C)i] are independent for different 
values of i and can be considered as the random variables in a new random 
experiment. When repeating this experiment for a sufficient number of times and 
applying data compression to the resulting sequence of keys, thereby using that 
with high probability both [^i, 52, . . .] and [5(, ^ 2 , . . .] are typical sequences, 
one finally obtains key agreement that ends up in a highly-uniformly distributed 
key. 

Let R := S{X]Y\\Z). We show that for any e > 0 (and for a sufficiently 
large number of realizations of the random variables) secret-key agreement at a 
rate at least i? — e is possible even with respect to the stronger definition which 
includes the uniformity condition (4) . 
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For parameters e' > 0 and N > 0, both to be determined later, let secret- 
key agreement (not necessarily satisfying the new condition) be carried out M 
times independently. Let Si and S[, i = 1, . . . , M, be the generated keys, and 
let Ci and {Z^)i be the corresponding collection of messages sent over the pub- 
lic channel and the realizations of Z that Eve obtains, respectively. Then the 
triples [Si, S[, [Z^C)i], i = 1, . . . , M, are statistically independent and identi- 
cally distributed. According to the definition of S{X; E||^), we can achieve for 
every i 



H{Si)/N >R-e', Prob [S, ^ S'^] < e , and 7(5,; {Z^C)i)/N < e' , (5) 

where the constant e will be specified later. (Note that in order to make only e 
smaller and to leave e' unchanged, it is not necessary to increase N because the 
second condition in (5) is stricter for larger N\ The key can be subdivided into 
smaller pieces at the end, and for every such piece, the error probability is at 
most e.) 

Using the fact that for all a > 0 and <5 > 0, the event £{5) that the 
sequence , 52 , . . . , Sm] is (5-typical has probability at least 1 — o; for suffi- 
ciently large M, we can transform the key vector [5i, . . . , Sm] into an almost- 
uniformly distributed key T as follows. If 5((5) occurs, then let T := [5i, . . . , Sm], 
otherwise T := A for some failure symbol A. The key T' is computed from 
[5(, . . . , S'f^] analogously. Then, T and T' have the following properties. First, 
log|T| < M{H{S) -I- (5) -I- 1 and H{T) > (1 — a)M{H{S) — (5) follow from the 
definitions of T and of (5- typical sequences. For the quantities occurring in the 
definition of Su{X; U||.^), we hence obtain 



H{T)/MN>{l-a){R-e-5/N), (6) 

Prob [T T'] < Mi , (7) 

I{T-{Z^C)i=M..,M)/MN <e' , (8) 

{\og\r\- H{T))/MN <aR+25/N . (9) 



Because of Lemma 4 one can choose, for every sufficiently large N , constants 
a, (5, and e' such that Prob [5((5)] < a (where £{5) stands for the complementary 
event of 5((5)) for this choice of M, and such that the expressions on the right- 
hand sides of (8) and (9) are smaller than e, whereas the right-hand side of (6) is 
greater than R — e. Finally, e can be chosen as e/M, such that the condition (7) 
is also satisfied. 

We conclude that the uniform secret-key rate Su{X-,Y\\Z) is at least R = 
S{X;Y\\Z). This concludes the proof. □ 

Lemma 6 links Renyi entropy with typicality of sequences (and hence Shan- 
non entropy). More precisely, the conditional Renyi entropy of a sequence of 
realizations of random variables is close to the length of the sequence times the 
conditional Shannon entropy of the original random variables, given a certain 
typicality event which occurs with high probability. Related arguments already 
appeared in [12] and [5]. 
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Lemma 6 Let Pxz be the joint distribution of two random variables X and 
Z, let 0 < S < 1/2, and let N be an integer. The event iF{S) is defined as fol- 
lows: First, the sequences and (x, z)^ must both be 5-typical, and second, 
must be such that the probability, taken over {x')^ according to the distri- 
bution , that {x',z)^ is 5-typical is at least 1 — <5. Then we have 

N-FToh[jt^] ^0 for N ^ oo, and H 2 {X^\Z^ = z^,F{5)) > N{H{X\Z) - 
25) + log(l - (5). 

Proof. Because of Lemma 4, the event, denoted by S{5), that both x^ and 
(x, z)^ are (5-typical has probability at least 1 — 5^ for some N = N{5) with 
N{5) • (5 — > 0. For this value of N, z^ has with probability at least 1 — V5^ = 1 — (5 
the property that (x', z)^ is (5- typical with probability at least 1 — VP = 1 — (5, 
taken over {x')^ distributed according to . Hence the probability of 

the complementary event P{5) of P{5) is at most 5“^-\-5, thus fV-Prob [1F((5)] ^ 0. 

On the other hand, given that z^ and {x' , z)^ are (5-typical, we can conclude 
that 



2-mmx\z)+2S) < < 2-mmx\z)-2S) 

holds. For a fixed value z^ , the Renyi entropy of X^ , given the events Z^ = z^ 
and P{5), is lower bounded by the Renyi entropy of a uniform distribution 
over a set with (1 — (5) • elements: H 2 {X^ \Z^ = z^ ,T{5)) > 

N {H{X\Z)~ 25) + \og{l- 5). □ 

2.4 Equality of Weak and Strong Rates 

In this section we prove the lower bound (3) on S{X-,Y\\Z) and the first main 
result, stating that the weak and strong secret-key rates are equal for every 
distribution. A result closely related to Lemma 7 was proved as the main re- 
sult in [14]. We give a much shorter and simpler proof based on the results in 
Sections 2.2 and 2.3. 

Lemma 7 For all Pxyz, S{X; Y\\Z) > max{ /(A; P) - /(A; Z) , /(A; A) - 
/(A; Z) } holds. 

Proof. We only prove that /(A; A) — /(A; Z) = H{X\Z) — H{X\Y) is an achiev- 
able rate. The statement then follows by symmetry. 

Let e > 0, and let Z\ > 0 be determined later. We show that for the parameter 
e, and for sufficiently large N, there exists a protocol which achieves the above 
rate (reduced by e). Let 5 < e/4 and a < A/(2H(X)) be constants, and let P(5) 
be the event as defined in Lemma 6. Because of Lemma 6 we have for sufficiently 
large A that A • Prob [A((5)j < a. On the other hand, 

P 2 (X^IZ^ = z^,P(5)) >X-(Lr(XlZ)-25)+log(l-5) 



holds. 
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The protocol now consists of two messages sent from Alice to Bob, one for 
information reconciliation and the other one for privacy amplification (see Sec- 
tion 2.2). Let f3 < e/{2H{X\Y)) be a positive constant. According to Lemma 1 
there exists for sufficiently large N a function h : {0,1}^, where L := 

[(1 -I- (3)N H{X\Y)'\, such that X^ can be determined from Y^ and h{X^) 
with probability at least 1 — e/2 (using the optimal strategy). Clearly, the value 
h{X^) reduces Eve’s uncertainty in terms of Renyi entropy about X^ . We con- 
clude from Lemma 3 for s := 2log{2NH{X)/A) + 2 that with probability at 
least 1 — 

H 2 {X^\Z^ = z^,h{X^) = h{x^),X{S)) (10) 

> N ■ {H{X\Z) - 26) + log(l - (5) - [(1 -h /3) • fV • H{X\Y) -h 1 -h s] 

= N • (H{X\Z) - H{X\Y)) - 2SN - PNH{X\Y) - 1 - s -h log(l - 6) 
=: Q. 

Finally, Alice and Bob use privacy amplification to transform their mutual in- 
formation X^ into a highly-secret string S. Let r := [log A^], and let M := Q — r 
be the length of the resulting string S. If G is the random variable correspond- 
ing to the random choice of a universal hash function mapping X^ {0,1}*^, 
and if S := G(A^), then we have H{S\Z^ = z^,h{X^) = h{x^ ) , G , T {5)) > 
M — 2“’’/ In 2 under the condition that inequality (10) holds. Hence we get for 
sufficiently large N 

H{S\Z^ ,h{X^),G) > (Prob [J^(<5)] - 2-("/^-i))(M - 2-71n2) 

>M- 2"7 In 2 - (Prob [:T7] -k 2-(^/2-i)) • N ■ H{X) 
>log\S\-A 

by definition of r, a, and s. Let now S' be a “uniformization” of S (i.e., a random 
variable S with range S = S = {0,1}^ that is generated by sending S over 
some channel characterized by Pg|s, that is uniformly distributed, and that 
minimizes Prob [S yf S] among all random variables with these properties) . For 
G = [h{X^), G] and sufficiently small A, we can then conclude that 

/(S; Z^G) < € , H{S) = log |S| , and Prob [S' yf S] < e 

holds because of H{S) > H{S\Z^ ,h{X^),G). The achievable key-generation 
rate with this protocol is hence at least 

H{X\Z) - H{X\Y) -26- PH{X\Y) > /(A; F) - /(A; Z) - e . 

Thus we obtain S(A; FjjF) > /(A; Y)—I{X; Z), and this concludes the proof. □ 

Theorem 1 is the main result of this section and states that the strong secret- 
key rate S(A; Y\\Z) is always equal to the weak secret-key rate S(A; FjjF). 

Theorem 1 For all distributions Pxyz, we have S(A; FjjF) = S(A; Y\\Z). 
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Proof. Clearly, S{X-Y\\Z) < S{X-Y\\Z) holds. Let R := S{X-,Y\\Z), and let 
e > 0. According to the definition of the secret-key rate S{X-, Y\\Z) (and because 
of Lemma 5), there exists, for sufficiently large N, a protocol with the following 
properties: Alice and Bob know, at the end of the protocol, strings S and S' 
such that H{S) >NR- Ne, Prob [S' ^ S'] < e, /(S; Z^C) < Ne, and H{S) > 
log jSj — Ne hold. From these equations, we can conclude by Fano’s inequality [8] 
that 

7(S; S') = H{S) - H{S\S') > H{S) - /i(Prob [S -f S']) - Prob [S f S']{H{S) + Ne) 
> H{S){1 - e) - h{e) - Ne^ > NR- NRe -Ne- h{e) 

holds (where h is the binary entropy function), hence I{S; S') — /(S; Z^ C) > 
NR—NRe—2Ne—h{e). Let us now consider the random experiment [S, S', Z^C] 
(where we assume that the realizations are independent). By applying Lemma 7 
to the new distribution, we get 

S{X- Y\\Z) > S(S; S'\\Z^C)/N > (7(S; S') - 7(S; Z^C))/N >R-Re-2e- h{e)/N 
for every e > 0, thus S(A; Y\\Z) > S(A; Pjj^). □ 



3 Strengthening the Secrecy Capacity 

This section is concerned with the model introduced by Wyner [18] and the gen- 
eralization thereof by Csiszar and Korner [10], which served as a motivation for 
Maurer’s [13] scenario treated in Section 2. In analogy to the weak definition of 
the secret-key rate, the original definition of the secrecy capacity is not satisfac- 
tory because the total amount of information about the resulting key that the 
adversary obtains can be unbounded. We show that also the definition of the 
secrecy capacity can be strengthened, without any effect on the actual value of 
this quantity, in the sense that the total amount of information the adversary 
obtains about the secret key is negligibly small. More precisely, we develop a 
generic reduction of strong to weak key agreement by one-way communication 
and such that the total length of the additional messages is negligible compared 
to the length of the resulting string. The low-communication-complexity condi- 
tion is necessary because in this model, in contrast to the model of Section 2, no 
communication is “for free.” More precisely, the noisy broadcast channel must 
be used for the entire communication (i.e., for the exchange of all the error- 
correction and privacy-amplification information), which at first sight appears 
to reduce the maximal achievable key-generation rate. However, the use of ex- 
tractors (see Section 3.2) instead of universal hashing for privacy amplification 
allows to keep the fraction of channel uses for communicating the error-correction 
and privacy-amplification messages arbitrarily small. 

3.1 Definition of the Secrecy Capacity Cs{Pyz\x) 

Assume that the parties Alice and Bob, and the adversary Eve, are connected 
by a noisy broadcast channel with conditional output distribution Pyz\x [10]- 
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(Wyner’s wire-tap channel corresponds to the special case where Pyz\x = Py\x' 
Pz\Y holds.) The ability of generating mutual secret information was quantified 
as follows. 

Definition 5 [18], [10] Consider a memoryless broadcast channel character- 
ized by the conditional joint distribution Pyz\x- The secrecy capacity C s{Py z\x) 
of the channel is the maximal real number R > 0 such that for every e > 0, for 
sufficiently large N, and for K := [(i? — e)fVj, there exists a possibly prob- 
abilistic (i.e., additionally depending on some random bits) encoding function 
e : {0,1}*^^ together with a decoding function d : {0,1}*^ such 

that if S is uniformly distributed over {0, 1}^, we have for = e{S) and 
S' ■= d{Y^) that Prob [S' ^ S] < e and 

^H{S\Z^)>l-e (11) 

hold. O 

3.2 Privacy Amplification with Extractors 

In order to show that the notion of secrecy used in the definition of Cg can be 
strengthened without reducing the secrecy capacity of the broadcast channel, we 
need a different technique for privacy amplification, requiring less information to 
be transmitted, namely only an asymptotically arbitrarily small fraction of the 
number of bits of the partially-secure string to be compressed. (Otherwise, the 
channel applications needed for sending this message would reduce the achievable 
key-generation rate.) We show that such a technique is given by so-called extrac- 
tors. Roughly speaking, an extractor allows to efficiently isolate the randomness 
of some source into virtually-random bits, using a small additional number of 
perfectly-random bits as a catalyst, i.e., in such a way that these bits reappear 
as a part of the almost-uniform output. Extractors are of great importance in 
theoretical computer science, where randomness is often regarded as a resource. 
They have been studied intensively in the past years by many authors. For an 
introduction and some constructions, see [16], [17], and the references therein. 

Recent results, described below, show that extractors allow, using only a 
small amount of true randomness, to distill (almost) the entire randomness, 
measured in terms of Pico, of some string into an almost-uniformly distributed 
string. A disadvantage of using extractors instead of universal hashing for privacy 
amplification is that a string of length only roughly equal to the mm-entropy 
instead of the generally greater Renyi entropy of the original random variable can 
be extracted. However, this drawback has virtually no effect in connection with 
typical sequences, i.e., almost-uniform distributions, for which all the entropy 
measures are roughly equal. 

Definition 6 A function E : {0,1}'^ x {0,1}'^ ^ {0,1}’’ is called a {S',e')- 
extractor if for any random variable T with range T C {0,1}^ and min-entropy 
Hoo{T) > 5' N , the variational distance of the distribution of [Vj E{T, V)] to the 
uniform distribution over {0, 1}'^+’’ is at most e' when V is independent of T and 
uniformly distributed in {0, l}*^. O 
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The following theorem was proved in [17]. It states that there exist extractors 
which distill virtually all the min-entropy out of a weakly-random source, thereby 
requiring only a small (i.e., “poly- logarithmic” ) number of truly-random bits. 
Note that Definition 6, and hence the statement of Lemma 8, is formally slightly 
stronger than the corresponding definition in [17] because it not only requires 
that the length of the extractor output is roughly equal to the min-entropy of 
the source plus the number of random bits, but that these bits even reappear 
as a part of the output. It is not difficult to see that the extractors described 
in [17] have this additional property. 

Lemma 8 [17] For every choice of the parameters N , 0 < S' < 1, and e' > 0, 
there exists a {S' ,e')~ extractor E : {0, 1}^ x {0,1}'^^ | 0 ^ iog(i/£')-0(i)^ 

where d = 0((log(fV/e'))^ log(<5'fV)). 

Lemma 9, which is a consequence of Lemma 8, is what we need in the proof 
of Theorem 2. The statement of Lemma 9 is related to Lemma 2, where universal 
hashing is replaced by extractors, and min-entropy must be used instead of Renyi 
entropy (see Figure 1). 



HRS |U=u) 



H„(S I U=u) 




H(S’ I G, U=u) H(S’ I V, U=u) 

Fig. 1. Privacy Amplification: Universal Hashing Versus Extractors 



Lemma 9 Let S' , Z\i, A 2 > 0 &e constants. Then there exists, for all sufficiently 
large N, a function E : {0, 1}^ x {0, l}*^ ^ {0, 1}”, where d < A\N and 
r > {S' — A 2 )N , such that for all random variables T with T C {0, 1}^ and 
Hoo{T) > S'N, we have 

i7(E(r,U)|U) > (12) 

Proof. Let e'{N) := 2 ~'^A°sN^ Then there exists Nq such that for all N > Nq 
we have a (V, e')-extractor E, mapping {0, to {0,1}”, where d < AiN 

(note that d = 0{N/ log N) holds for this choice of e') and r > {S' — A 2 )N . 
By definition, this means that for a uniformly distributed d-bit string V and if 
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Hoo{T) > 6'N, the distance of the distribution of [V, E{T,V)] to the uniform 
distribution Ud+r over {0, 1}'^+’’ is at most e' = . Because 

d{[V, E(T, V)],Ud+r) = Ev[d{E{T, V), Ur)] < e' 



holds for uniformly distributed V, the distance of the distribution of E{T, v) 
to the uniform distribution Ur (over {0, 1}’’) is at most '\/e' with probability at 
least 1 — •\/e' over v, i.e., 



Pv 



d{E{T,V),Ur) < > 1 _ 



(13) 



Inequality (12) follows from (13) in a straight-forward way. 



□ 



Lemma 3 gives an upper bound on the effect of side information on the 
Renyi entropy of a random variable, and thus links information reconciliation 
and privacy amplification with universal hashing. We now need a similar result 
with respect to min-entropy Hoo- The proof of Lemma 10 is straight-forward 
and therefore omitted. 



Lemma 10 Let X and Q he random variables, and let s > 0. Then with proba- 
bility at least 1 — 2“®, we have Hoo{X) — Hao{X\Q = q) < log |Q| -I- s. 



3.3 The Strong Secrecy Capacity Cs{Pyz\x) 

In this section we show that the definition of secrecy capacity in Csiszar and 
Korner’s, hence also in Wyner’s, model can be strengthened similarly to the 
weak and strong notions of secret-key rate: Not the rate, but the total amount 
of leaked information is negligible. Note that an additional uniformity condition 
is not necessary here since already the definition of Cs requires the key to be 
perfectly-uniformly distributed. Theorem 2 is the main result of this section. 

Definition 7 For a distribution Pyz\x, the strong secrecy capacity C s{Py z\x) 
is defined similarly to Cs{Pyz\x), where the secrecy condition (11) is replaced 
by the stronger requirement H{S\Z^) > K — e. O 



Theorem 2 For all distributions Pyz\x, we have Cs{Pyz\x) = Cs{Pyz\x)- 

Proof. The idea of the proof is to repeat the (weak) key generation a num- 
ber of times and to compute from the block of resulting weak keys a secure 
string satisfying the stronger definition of secrecy capacity. More precisely, this 
is done by information reconciliation as described in Section 2.2, and by privacy 
amplification with extractors. Since the parties have, in contrast to the public- 
discussion model, no access to a noiseless public channel, all the error-correction 
and privacy-amplification information must be sent over the noisy channel speci- 
fied by the conditional marginal distribution PY\x{y^ x) = Pyz\x{u, z, x). 
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However, the use of extractors instead of universal hashing for privacy amplifica- 
tion allows to keep the fraction of channel uses required for this communication 
negligibly small. This is precisely what is needed for showing equality of Cg and 

Let R := Cs{Pyz\x)- For a constant e' > 0 and integers M and N to be 
determined later, assume that the key-generation procedure, with respect to 
the (weak) secrecy capacity Cs and parameters e' and N , is repeated indepen- 
dently M times. Let := , S'm] and {S')^ := , S'j^] be the 

generated keys of Alice and Bob, respectively, and let K = [(i? — e')N\ be the 
length of (the binary strings) Si and 5'. From the fact that Prob [Si yf 5'] < e' 
holds we conclude, by Fano’s inequality, H{Si\S[) < e'K + 1 for all i, hence 
iL(5“|(S")“) < M{e'K + l). 

For constants Z\i, A 2 > 0, we conclude from Lemma 1 that there exists an 
error-correction-information function ft, : ({0,1}^)^ — > {0, ^+i)l 

such that S^ can be determined from {S')^ and h{S^) with probability at least 
1 — A2 for sufficiently large M. Hence |"(1 -I- Ai)M{e'K + 1)] message bits have 
to be transmitted over the channel Py\x for error correction (see below). 

According to the definition of the (weak) secrecy capacity Cs, we have 
H{Si\Z^) > K{\ — e'). For ft > 0, let the event fF(ft), with respect to the 
random variables S and Z-^, be defined as in Lemma 6. For every a > 0 we can 
achieve, for arbitrarily large (fixed) TV and M, MK ■ Prob [.?^(ft)] < a and 

H^(S^[(Z^)^ = >M(K(l-e')-2S)+log(l-S) . 

The reason is that the statement of Lemma 6 also holds for the min-entropy 
ftfoo instead of ftf2- The proof of this variant is exactly the same because it is 
ultimately based on uniform distributions, for which II 2 and iLoo (and also ftf) 
are equal. 

Let us now consider the effect of the error-correction information (partially) 
leaked to the adversary. According to Lemma 10, we have for s > 0 with proba- 
bility at least 1 — 2“^ 

iLoo(5'“|(^^)“ = (z^)^,h(S^) = h(s^),R(S)) 

> M(K(1 - e) - 2ft) -h log(l - ft) - [(1 -k Ai)M{e'K -k 1)1 - s 

> MK{1 - A3) (14) 

for some constant A3 that can be made arbitrarily small by choosing N large 
enough, s := [logM], and Ai as well as e' small enough. 

Let now for constants A4, A5 > 0 and sufficiently large M an extractor 
function E be given according to Lemma 9, i.e., E : {0, l}^^x {0, l}*^ ^ {0, 1}’’ 
with d < A 4 MK and r > MK{1 — A3 — A5) such that, for S := E{S^ , V), the 
inequality 

H{~S\{Z^)^ = {z^)^,h{S^) = h{s^),V,P{ 6 )) > 

holds if V is uniformly distributed in {0, l}*^. Let S' be the key computed in the 
same way by Bob (where the random bits V are sent over to him by Alice using 
the channel Py\x with an appropriate error-correcting code). 
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The resulting key S of Alice is now close-to-uniformly, but not perfectly- 
uniformly distributed. Given the events and that inequality (14) holds, we 
have H{S) > r — ^ ^ \ 

Let now, as in the proof of Lemma 7, S be the “uniformization” of S (the 
random variable which is uniformly distributed in {0, 1}’’ and jointly distributed 
with S in such a way that Prob [S yf S] is minimized) . It is clear that for any 
Aq > 0, Prob [S' yf 5] < Aq can be achieved for sufficiently large M. 

Let us finally consider the number of channel uses necessary for commu- 
nicating the information for information reconciliation and privacy amplifica- 
tion. The number of bits to be transmitted is, according to the above, at most 
[(1-1- Ai)M{e'K + 1)] -I- A 4 MK. It is an immediate consequence of Shannon’s 
channel-coding theorem (see for example [8]) that for arbitrary Ay, Ag > 0 and 
sufficiently large M , the number of channel uses for transmitting these messages 
can be less than 



MK{{1 + Ai)e' -k A 4 ) + (1 + Ai)M -k 1 
C{Py\x) — A-j 

(where C{Py\x) is the capacity of the channel Py\x from Alice to Bob), keeping 
the probability of a decoding error below Ag. Note that C{Py\x) > 0 clearly 
holds when Cs{Pyz\x) > 0- (If C{Py\x) = 0> the statement of the theorem is 
hence trivially satisfied.) Thus the total number of channel uses for the entire key 
generation can be made smaller than MN{\ + Ag) for arbitrarily small Ag > 0 
and sufficiently large N . 

From the above we can now conclude that 5 is a perfectly-uniformly dis- 
tributed string of length r = (1 — o{l))RL, where L = (1 -I- o{l))MN is the total 
number of channel uses. Furthermore, we have by construction Prob [S' yf S'] = 
0 ( 1 ) and finally 

H{S\Z^) = H{S) - I{S;Z^) > H{S)-I{S;Z^) (15) 

^ ^ ^ . ( 2 -^ + Prob [(^j) = r - o(l) . 

The inequality in (15) holds because Z^ ^ S ^ S is a Markov chain and because 
of the data-processing lemma [8] . Hence the achievable rate with respect to the 
strong secrecy-capacity definition is of order (1 — o{l))R = (1 — o{1))Cs{Pyz\x), 
thus Cs(Pyz\x) = Cs{Pyz\x) holds. □ 



4 Concluding Remarks 

The fact that previous security definitions of information-theoretic key agree- 
ment in the noisy-channel models by Wyner [18] and Csiszar and Korner [10] 
and the correlated-randomness settings of Maurer [13] and Ahlswede-Csiszar [1] 
are unsatisfactory is a motivation for studying much stronger definitions which 
tolerate the adversary to obtain only a negligibly small amount of information 
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about the generated key. We have shown, by a generic reduction with low commu- 
nication complexity and based on extractor functions, that in all these models, 
the achievable key-generation rates with respect to the weak and strong defi- 
nitions are asymptotically identical. Therefore, the old notions can be entirely 
replaced by the new definitions. 
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Abstract. This paper introduces two new attacks on pkcs# 1 vl.5, an 
RSA-based encryption standard proposed by RSA Laboratories. As op- 
posed to Bleichenbacher’s attack, our attacks are chosen-plaintext only, 
i.e. they do not make use of a decryption oracle. The first attack ap- 
plies to small public exponents and shows that a plaintext ending by 
sufficiently many zeroes can be recovered efficiently when two or more 
ciphertexts c orresponding to the same plaintext are available. We believe 
the technique we employ to be of independent interest, as it extends Cop- 
persmith’s low-exponent attack to certain length parameters. Our second 
attack is applicable to arbitrary public exponents, provided that most 
message bits are zeroes. It seems to constitute the first chosen-plaintext 
attack on an RSA-based encryption standard that yields to practical re- 
sults for any public exponent. 



1 Introduction 

Pkcs stands for Puhlic-Key Cryptography Standards. It is a large corpus of 
specifications covering RSA encryption [13], Dif&e-Hellman key agreement, pass- 
word-based encryption, syntax (extended-certificates, cryptographic messages, 
private-key information and certification requests) and selected attributes. His- 
torically, PKCS was developed by RSA Laboratories, Apple, Digital, Lotus, Mi- 
crosoft, MIT, Northern Telecom, Novell and Sun. The standards have been reg- 
ularly updated since. Today, PKCS has become a part of several standards and 
of a wide range of security products including Internet Privacy-Enhanced Mail. 

Amongst the PKCS collection, pkcs# 1 vl.5 describes a particular encoding 
method for RSA encryption called rsaEncryption. In essence, the enveloped data 
is first encrypted under a randomly chosen key using a symmetric block-cipher 
(e.g. a triple des in CBC mode) then is RSA-encrypted with the recipient’s 
public key. 

In 1998, Bleichenbacher [2] published an adaptive chosen-ciphertext attack on 
PKCS^l vl.5 capable of recovering arbitrary plaintexts from a few hundreds of 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 369-381, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 




370 



Jean-Sebastien Coron et al. 



thousands of ciphertexts. Although active adversary models are generally viewed 
as theoretical issues/ Bleichenbacher’s attack makes use of an oracle that only 
detects conformance with respect to the padding format, a real-life assumption 
leading to a practical threat. Pkcs#1 was subsequently updated in the release 
2.0 [15] and patches were issued to users wishing to continue using the old version 
of the standard. 

Independently, there exist several well-known chosen-plaintext attacks on 
RSA-based encryption schemes [8,5]. These typically enable an attacker to de- 
crypt ciphertexts at moderate cost without requiring to factor the public mod- 
ulus. The most powerful cryptanalytic tool applicable to low exponent RSA is 
probably the one based on a theorem due to Coppersmith [6] . As a matter of fact, 
one major purpose of imposing a partially random padding form to messages, 
besides attempting to achieve a proper security level such as indistinguishability, 
is to render the whole encryption scheme resistant against such attacks. 

This paper shows that, despite these efforts, chosen-plaintext attacks are 
actually sufficient to break pkcs# 1 vl.5 even in cases when Coppersmith’s 
attack does not apply. We introduce new cryptanalytic techniques allowing an 
attacker to retrieve plaintexts belonging to a certain category, namely messages 
ending by a required minimum number of zeroes. The first attack requires two 
or more ciphertexts corresponding to the same plaintext. Although specific, our 
attacks only require a very small amount of ciphertexts (say ten of them), are 
completely independent from the public modulus given its size and, moreover, 
are fully practical for usual modulus sizes. 

The rest of this paper is divided as follows. Section 2 introduces a new low- 
exponent attack for which we provide a comparison with Coppersmith’s attack 
in Section 3. Section 4 shows how to deal with arbitrary public exponents while 
staying within the chosen-plaintext attack model. Counter-measures are dis- 
cussed in Section 5. For completeness. Appendix A reports practical experiments 
of our technique performed on 1024-bit ciphertexts. 

2 Our Low-Exponent Chosen-Plaintext Attack 

We briefly recall the pkcs#1 vl.5 encoding procedure [14]. Let { } be an RSA 

public key and be the corresponding secret key. Denoting by the byte-length 
of , we have < < 2®^. A message m of size |m| bytes with |m| < — 11 

is encrypted as follows. A padding ' consisting of — 3 — |m| > 8 nonzero bytes 
is generated at random. Then the message m gets transformed into: 

PKCS(m ') = 0002 i 6|| '||00i6||m 
and encrypted to form the ciphertext: 

= PKCS(m 'Y mod 

^ Chosen-ciphertext attacks require the strong assumption that the adversary has a 
complete access to a decryption oracle. 
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Letting = (0002i6|| '), we can write PKCS(m ') = 2^ + mwith =8|m|+8. 

Now assume that m has its least significant bits equal to zero. Hence, we can 
write m = fh 2^ and subsequently: 

PKCS(m ') = 2^( + fh) . 

From two encryptions of the same message m, (i.e. i = [2^( j2^“'^+m)]® mod 
for =12), the attacker evaluates: 



2eZ 2!3 -z 



mod 



( 1 - 2 ),[^( + 2 2^-^ + m)^'] (mod ) . 

1=0 



( 1 ) 



The attack consists in the following: assuming that i > 2 and the number of 
zeroes to be large enough so that 0 < v < , relation (1) holds over the 

integers, and = 1—2 must divide . Therefore, by extracting the small 

factors of one expects to reconstruct a candidate for . The correct guess for 
will lead to the message m using the low-exponent attack described in [7] . 

Letting the bit-size of random ' (the standard specifies > 64), the 
bit size of m, and the bit size of modulus , the condition w-v < is satisfied 
whenever: 



+ ( -l)x( +10)< . (2) 

With = -I- -I- -I- 24, equation (2) is equivalent to: 

( -1) +( -2) -klO -34< 



2.1 Determining the Factors of A Smaller than a Bound B 

The first step of our attack consists in computing a set T> of divisors of by 
extracting the primes V = { 1 .. . i} that divide and are smaller than a 
bound . If all the prime factors of are smaller than (in this case, is said 
to be -smooth), then € T>. Since only a partial factorization of is required, 
only factoring methods which complexity relies on the size of the prime factors 
are of interest here. We briefly recall four of these: trial division, Pollard’s p 
method, — 1 method and Lenstra’s elliptic curve method (ECM) and express 
for each method the asymptotic complexity ( ) of extracting a factor from a 
number . 

Trial Division Method: Trial division by primes smaller than a bound de- 
mands a complexity of -I- log for extracting . 
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Pollard’s p- Method [4]: Let be a factor of . Pollard’s /9-method consists in 
iterating a polynomial with integer coefficients / (i.e. computing /( ) mod , 
/(/( )) mod , and so on) until a collision modulo is found (i.e. = ' 

(mod )). Then with high probability gcd( — '(mod ) ) yields . The 

complexity of extracting a factor is In practice, prime factors up 

to approximately 60 bits can be extracted in reasonable time (less than a 
few hours on a workstation). 

p — 1 Method: If — I is -smooth then — I divides the product £{ ) of all 
primes smaller than . Since mod = 1, we have mod = 1 and 
thus gcd( — 1 mod ) gives . 

Lenstra’s Elliptic Curve Method (ECM) [11]: ECM is a generalization of 
the — 1 factoring method. Briefly, a point of a random elliptic curve £ 
modulo is generated. If #£/( ) (i.e. the order of the curve modulo ) is - 
smooth, then [i{ )] = O, the point at infinity. This means that an illegal 

inversion modulo has occurred and is revealed. ECM extracts a factor 
of in exp((-\/2-l- o(l))v^Tog log log ) expected running time. In practice, 
prime factors up to 80 bits can be pulled out in reasonable time (less than a 
few hours on a workstation). 

Traditionally, ( ) denotes the number of integers < such that is 

smooth with respect to the bound . The theorem that follows gives an estimate 
for ( ) . 

Theorem 1 ([9]). For any non-negative real u, we have: 

hm ( 1/“)/ =p{u) 

x—^oo 

where p{u) is the so-called Dickman’s function and is defined as: 

1 if 0<t<l 

p(^ 'j- f 11 y if <t< -b 1 

Jn V 

Theorem 1 shows that a uniformly distributed random integer between 1 
and is ^/“-smooth with probability p{u). However, the integers referred to 
in the sequel are not uniformly distributed. Consequently, the probability and 
complexity estimates must be considered to be heuristic. 

The probability that is -smooth is approximately p{ / log 2 ) . Thus us- 
ing two ciphertexts, the probability of finding all factors of is p{ /log 2 ). 
When using ciphertexts, x ( — 1)/2 paired combinations can be obtained. As- 
suming statistical independence between the factorization of the corresponding 
w, approximately 

= \/2/p( /log2 ) 

ciphertexts are required to compute the factorization of at least one in com- 
plexity: 




( )/p{ /l0g2 ) ■ 
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In practice, a factorization algorithm starts with trial division up to some bound 
' (we took ' = 15000), then Pollard’s / 9 -method and the — 1 method are 
applied, and eventually the ECM. In Table 1 we give the running times obtained 
on a Pentium 233-MHz to extract a prime factor of size L bits with the ECM, 
using the arithmetic library MIRACL [12]. 

Table 1. Running times for extracting a prime factor of L bits using the ECM 



L 


32 


40 


48 


56 


64 


72 


time in seconds 


6 


15 


50 


90 


291 


730 



This clearly shows that for < 72, the factors of can be recovered effi- 
ciently. For > 72 we estimate in Table 2 the execution time and the number 
of required ciphertexts, when only factors up to 72 bits are to be extracted. 



Table 2. Running time and approximate number of ciphertexts needed to re- 
cover the factorization of at least one 



L 


128 


160 


192 


224 


256 


time in seconds 


1719 


3440 


7654 


19010 


51127 


number of ciphertexts 


3 


4 


5 


8 


12 



2.2 Identifying the Candidates for U3 

From the previous section we obtain a set of primes V = { \ . . . i\ dividing 
, such that the primes dividing are in V . From V we derive a set T> = { j} 
of divisors of , which contains . Denoting by ( ) the number of divisors of 
an integer , the following theorem [10] provides an estimate of the number of 
divisors of a random integer. We say that an arithmetical function /( ) is of the 
average order of ( ) if 

/(l) + /(2) + ...+ /( (1) + ...+ ( ) . 

We state: 

Theorem 2. The average order of { ) is log . More precisely, we have: 

(1)+ (2) + ---+ ()= log +( 27 - 1 ) +0(V“) 



where 7 is Euler’s constant. 
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Theorem 2 shows that if was uniformly distributed between 1 and then 
its number of divisors and consequently the average number of candidates for 
would be roughly log . Since is not uniformly distributed this only provides 
an heuristic argument to show that the average number of candidates for 
should be polynomially bounded by log . 

In practice, not all divisors j need to be tested since only divisors of length 
close to or smaller than are likely to be equal to . Moreover, from Eq. ( 1 ) 
and letting m2 = 2 + fh, we have: 



= 2l^-^ + rri2y-^-^mi 

j=o 



whence. 



noting that 





*) = 0 (mod 

20—Z'je—l 



2/3-Z^e-l-i-fc^i+fc 

) for I < h < — 1 , 

(mod ) . 



In particular, when is prime, this simplifies to 

= e2(/3-Z)(e-l) = (jnod ) . 

This means that only a j satisfying = j{ (mod ) (or = 

(mod ) if is prime) is a valid candidate for . 



2.3 Recovering m Using the Low-Exponent RSA with Related 
Messages Attack 

The low-exponent attack on RSA with related messages described in [ 7 ] consists 
in the following: assume that two messages mi, m2 verify a known polynomial 
relation V of the form 



m2 = 'P(mi) with V & ~ 2 .nl ] deg(T^) = 

and suppose further that the two corresponding ciphertexts 1 and 2 are known. 
Then = mi is a common root of polynomials Qi Q2 G ] given by 

Qi( ) = 1 and Q2( ) = {V{ )Y - 2 

so that with high probability one recovers mi by 

gcd(Qi Q2) = -mi (mod ) . 
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From the previous section we obtain a set of divisors j of , among which one 
is equal to . Letting mi = PKCS(m i) and m 2 = PKCS(m 2 ) we have: 

1 = m® (mod ) 2 = W 2 (mod ) and m 2 = mi — 2^ 

For a divisor j of , the attacker computes: 

7^,( )=gcd( 1 ( -2%)®- 2 ) . 

If j = then, with high probability, TZj{ ) = — mi (mod ), which yields 

the value of message m, as announced. 

3 Comparison with Coppersmith’s Attacks on 
Low-Exponent RSA 

Coppersmith’s method is based on the following theorem [6] : 

Theorem 3 (Coppersmith). Let 7^ G Z„[ ] &e a univariate polynomial of 
degree modulo an integer of unknown factorization. Let X he the hound on 
the desired solution. Lf X < i can find all integers 0 withV{ 0 ) = 0 

(mod ) and \ o\ ^ X in time polynomial in (log 1/ ). 

Corollary 1 (Coppersmith). Under the same hypothesis and provided that 
X < one can find all integers 0 such that V{ 0 ) = 0 (mod ) and \ o| < 

X in time polynomial in (log ) 

Theorem 3 applies in the following situations: 

Stereotyped Messages: Assume that the plaintext m consists of a known 
part =2^ and an unknown part . The ciphertext is = m® = ( + )® 

(mod ). Using Theorem 3 with the polynomial V{ ) = { + )® — , one 
can recover from if | | < ^/®. 

Random Padding: Assume that two messages m and m' satisfy an affine re- 
lation m' = m + with a small but unknown . From the RSA-encryptions 
of the two messages: 

= m® mod and ' = (m -I- )® mod 

we eliminate m from the two above equations by taking their resultant, which 
gives a univariate polynomial in modulo of degree Thus, if | | < ^^® , 

can be recovered, wherefrom we derive m as in Section 2.3. 

In our case of interest, for a message ending with zeroes, the stereotyped 
messages attack works for ( -|- ) < and the random padding attack works 

for ^ < . Neglecting constant terms, our method of Section 2 is effective for 



+ ( - 1 ) < 
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R 




Fig. 1. Domains of validity for = 3 of Coppersmith’s stereotyped attack (1), 
Coppersmith’s random padding attack (2) and our attack (3). 



Consequently, as illustrated in Figure 1, for = 3, our method improves Cop- 
persmith’s method whenever 




4 A Chosen Plaintext Attack for Arbitrary Exponents 

4.1 Description 

In this section we describe a chosen plaintext attack against pkcs# 1 vl.5 en- 
cryption for an arbitrary exponent . The attack makes use of a known flaw in 
El Carnal encryption [3] and works for very short messages only. As in Section 2 
we only consider messages ending by zeroes: 

m = m||0 . . . O 2 . 

For a random ' consisting of nonzero bytes, the message m is transformed using 
PKCS#1 vl.5 into: 

PKCS(m ') = 0002 i 6|| '|100i6||m||0. . .O 2 

and encrypted into = PKCS(m ')® mod . Letting = 0002i6|| '||00i6||m, we 
can write 



PKCS(m ') = 2^ . 
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We define = /2®'^ = ® (mod ), the bit-size of m, and X the bit-size of 
. Hence, we have X = + -1-10. Assuming that =12 where 1 and 2 

are integers smaller than a bound , we construct the table: 

— mod for = 1 . . . 

e 

and for each = 0 . . . we check whether ® mod belongs to the table, in 
which case we have / ® ® mod . Hence, from { } we recover = • , 

which leads to the message m. 

4.2 Analysis 

The attack requires O ( (log )((log )^-|-log )) operations. Let ( ) denote 

the number of integers v < such that v can be written as u = V 2 with vi < 

and V 2 < ■ The following theorem gives a lower bound for ( ) . 

Theorem 4. For 00 and 1/2 < <1, 

liminf ( “)/ >log^-— . (3) 

Proof: For > [ y/ | , we note: 

T( ) = {ti < such that v is -smooth and not [ / ] -smooth} . 

Any integer w G T( ) has a prime factor standing between |" / ] and , and 
so V = with < and < . Consequently, 

( )>m )■ ( 4 ) 

From Theorem 1 and p{t) = 1 — logt for 1 < t < 2, we have: 



lim #T( “)/ = log 

X — >^00 1 — 

which, using Eq. (4) gives (3). □ 

Since is not uniformly distributed between zero and 2^, Theorem 4 only 
provides a heuristic argument to show that when taking = 2“^ with > 1 /2, 
then with probability greater than 



log 

the attack recovers in complexity 

Thus, an eight-bit message encrypted with pkcs# 1 vl.5 with a 64-bit ran- 
dom padding string can be recovered with probability ~ 0.16 in time and space 
complexity approximately 2^^ (with = 0.54). 
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5 Experiments and Counter-Measures 

A number of counter-measures against Bleichenbacher’s attack are listed on RSA 
Laboratories’ web site (http ://www. rsa.com/rsalabs/). A first recommenda- 
tion is a rigorous format check of all decrypted messages. This has no effect on 
our attack since we never ask the legitimate receiver to decrypt anything. A 
second quick fix consists in asking the sender to demonstrate knowledge of m to 
the recipient which is done by disclosing some additional piece of information. 
This also has no effect on our attack. The same is true for the third correction, 
where a hash value is incorporated in m, if the hash value occupies the most 
significant part of the plaintext i.e. 

PKCS(m ') = 0002i6|| 'llOOielj SHA(m)||m . 

A good way to thwart our attack is to limit . This can be very simply 
achieved by forcing a constant pattern r in PKCS(m '): 

PKCS(m ') = 0002i 6|| '||00i6||m||r . 

This presents the advantage of preserving compatibility with pkcs# 1 vl.5 and 
being very simple to implement. Unfortunately, the resulting format is insuffi- 
ciently protected against [2]. Instead, we suggest to use: 



PKCS(m ') = 0002i6|| 'llOOieljmll SHA(m ') 

which appears to be an acceptable short-term choice ( ' was added in the hash 
function to better resist [2] at virtually no additional cost). For long-term per- 
manent solutions, we recommend OAEP (pkcs#1 v2.0) [1]. 

6 Extensions and Conclusions 

We proposed two new chosen-plaintext attacks on the pkcs# 1 vl.5 encryp- 
tion standard. The first attack applies to small public exponents and shows 
how messages ending by sufficiently many zeroes can be recovered from the ci- 
phertexts corresponding to the same plaintext. It is worth seeing our technique 
as a cryptanalytic tool of independent interest, which provides an extension of 
Coppersmith’s low-exponent attack. Our second attack, although remaining of 
exponential complexity in a strict sense, shows how to extend the weakness to 
any public exponent in a practical way. 

The attacks can, of course, be generalized in several ways. For instance, one 
can show that the padding format: 

[i{mx m2 ') = 0002i6||mi|| '||00i6||m2 

(where the plaintext m = mi||m 2 is spread between two different locations), is 
equally vulnerable to the new attack: re-defining " = mi|| we can run the 
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attack (as is) on pkcs(m ") and notice that the size of will still be ' given 
that the most significant part of " is always constant. 

We believe that such examples illustrate the risk induced by the choice of 
ad hoc low-cost treatments as message paddings, and highlights the need for 
carefully scrutinized encryption designs, strongly motivating (once again) the 
search for provably secure encryption schemes. 
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A A Full-Scale 1024-Bit Attack 

To confirm the validity of our attack, we experimented it on RSA Laborato- 
ries’ official 1024-bit challenge RSA-309 for the public exponent = 3. As a 
proof of proper generation and 2 were chosen to be RSA-lOOmod 2^^^ and 
RSA-llOmod 2^^^. The parameters are = 1024, = 280, = 128, = 592 

and = 880. Note that since > /9 and -h > /3, Coppersmith’s attack 

on low-exponent RSA does not apply here. 

= RSA-309 

= bddl4965 645e9e42 e7f658c6 fc3e4c73 c69dc246 451c714e bl82305b 0fd6ed47 
d84bc9a6 10172fb5 6dae2f89 fa40e7c9 521ec3f9 7eal2ff7 c3248181 ceba33b5 
5212378b 579ae662 7bcc0821 30955234 e5b26a3e 425bcl25 4326173d 5f4e25a6 
d2el72fe 62d81ced 2c9f362b 982f3065 0881ce46 b7d52fl4 885eecf9 03076ca5 

; - RSA-100mod2^^® 

= f66489dl 55dc0b77 Ic7a50ef 7c5e58fb 

2 = RSA-110 mod 2^^® 

= e2a5a57d e621eec5 bl4ff581 a6368e9b 

m = ffl2^ 

0049276d 20612063 69706865 72746578 742c2070 6c656^173 65206^2 656\6b20 
6d652021 
= PKCS(m 

= 0002f664 89dl55dc 0b771c7a 50ef7c5e 58fb0049 276d2061 20636970 68657274 
6578742c 20706c65 61736520 62726561 6b206d65 20210000 00000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 

^2 = PKCS(m 2) 

0002e2a5 a57de621 eec5bl4f f581a636 8e9b0049 276d2061 20636970 68657274 
6578742c 20706c65 61736520 62726561 6b206d65 20210000 00000000 00000000 
6578742c 20706c65 61736520 62726561 6b206d65 20210000 00000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 

1 = mod 

= 2c488b6f cf2e3d4c 01b82776 64790af0 d78f82fd 4605fda2 76b9356d 80e82cfb 
8737340f 5a7091b0 38c4bb41 ae6462d9 f751766c c343c87b 54397ca2 647d6a81 
3609d876 f29554e0 9efcbf2d b49d8300 5fce9ea8 80fd9cf2 476fbab0 257fl462 
d295a4cb 5468bb86 b3151a49 14e51edl 7cbc083c 9ae0b4da 9c2a7de0 079df4a0 

2 = ^2 mod 

= 829da9a7 af2c61ed 7bbl6f94 7cb90aa7 df8b99df c06017d7 3afc80fd 64494abb 
3clcb8db 1167eccd dlb6d09e 8ca5a98c c5el9620 b6313eef 495169d7 9ed9a2bl 
cb393e7d 45bea586 49e20986 9a2399f7 f70dd819 90183ela 3c6a971a 33497e57 



f0ad9fb9 0c7d331e 7108d661 4c487a85 36cf7750 060811d8 70b8a040 e0c39999 
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Using the ECM it took a few hours on a single workstation to find that: 

10 

= 1 X n i 

i=2 

where all the i are primes. Amongst the 3072 = 6 x 2® possible divisors only 
663 corresponded to 128-bit candidates { i 2 ■ ■ ■ 663} where the i are in 

decreasing order. Then we computed: 

7lj{ ) = gcd( ® — 1 ( — 2^ jV ~ 2) for 1 < < 663 . 

For 7^ 25, TZj{ ) = 1 and for = 25 we obtained: 

) = -mi . 

One can check that: 

5 

2 ^ = W = 123458 

and 

mi = ^1 = PKCS(m . 



00000001 fa75bf4e 390bdf4b 7a0524e0 b9ebed20 5758be2e fl685067 ldel99af 
0fS714f7 077a6c47 6870ea6d 2de9e7fb 3c40b8d2 017c0197 f9533edl f4fe3eab 
836b6242 aa03181a 56a78001 7cl64f7a c54ecfa7 73583ad8 ffeb3a78 ebSbcbe2 
8869dal5 60be7922 699dc29a 52038f7b 83e73d4e 7082700d 85d3a720 

00000002 2 = 00000007 3 = 00000035 4 = OOOOOOcS 5 = 4330e379 

548063d7 7 = 001ebf96 ff071021 § = 0000021b ac4d83ae 7dedba55 

0000128a ec52c6ec 096996bf 

00000022 e3bla6b0 13829b67 f604074a 5all35b3 45be0835 ea407ed7 8138a27a 
112e78c8 131f3bc3 b6dl7dc0 e8a905fl ca4b6aff 680bc58c 4962309d c7aaccad 
2116235c b0d6803e e0a58ca7 55cbea23 e936fl89 a76dfbeb 
13bee453 6fbalcbl 6b2a5b6d d627ca60 

— mi 

0049276d 20612063 69706865 72746578 742c2070 60656^73 65206^2 656^16b20 
6d652021 
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Abstract. We present a chosen-ciphertext attack against both NICE 
cryptosystems. These two cryptosystems are based on computations in 
the class group of non-maximal imaginary orders. More precisely, the 
systems make use of the canonical surjection between the class group 
of the quadratic order of discriminant \/—pq^ and the class group of 
the quadratic order of discriminant y/—p. In this paper, we examine the 
properties of this canonical surjection and use them to build a chosen- 
ciphertext attack that recovers the secret key (p and q) from two cipher- 
texts/cleartexts pairs. 



1 Overview 

In [5] , Hartmann, Panins and Takagi have presented a new public-key cryptosys- 
tem based on ideal arithmetic in quadratic orders. This system was called NICE, 
which stands for New Ideal Coset Encryption. 

In [7], Hiinhlein, Jacobson, Paulus and Takagi have presented a cryptosystem 
analogous to ElGamal encryption [4] that uses the same properties of arithmetic 
in imaginary quadratic orders than NICE. They called it HJPT. 

The security of the NICE and HJPT cryptosystems is closely related to fac- 
toring the discriminant of the quadratic order, which is a composite number of 
the special form While there exists an algorithm that allows the factoriza- 
tion of numbers of the form for large (see [2]), no dedicated algorithm 
is currently known to factor numbers with a square factor. Furthermore, for 
appropriate sizes of the parameters, the currently known general factoring algo- 
rithms are not applicable to a direct attack. In [8], the authors also give several 
arguments to prove the security of their cryptosystem. Among these consider- 
ations, they argue that the chosen-ciphertext attack is not applicable to their 
cryptosystem. 

Indeed, it seems that from a single chosen ciphertext, one cannot recover the 
secret key. However, we show that with two well chosen ciphertexts, it is possible 
to factor thus breaking the system. 

This paper is organized as follows: we first give a brief reminder of the prop- 
erties of the class group of a quadratic order and recall the main ideas of the 
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two cryptosystems. Then we present our chosen-ciphertext attack and finally we 
give an example of this attack. 

2 Theoretical Background 

The NICE and HJPT cryptosystems rely on the canonical surjection between 
the class group of a non-maximal order and the class group of the maximal order 
in an imaginary quadratic field. We will first recall the properties of the class 
groups and the surjection before presenting the algorithms. 



2.1 Class Group of a Quadratic Order 

An introduction to quadratic orders and their class groups can be found in [3]. 
In this section, we briefly recall the definition and main properties of the class 
group of a quadratic order. 



Definitions and Properties. 

Quadratic Field. Let = Q('\/~ ) be a quadratic field with yf 1 squarefree. Let 
1 be the discriminant of .If = I mod 4, we can take I (I -I- ^/~ ) 2 as an 
integral basis for and i = , while if = 2 or 3 mod 4, we can take 1 ^/~ 
and we have i = 4 . 

Fundamental Discriminant. An integer i is called a fundamental discriminant 
if 1 is the discriminant of a quadratic field . In other words, i yf 1 and 
either i = 1 mod 4 and is squarefree, or i = 0 mod 4, i 4 is squarefree and 
1 4 = 2 or 3 mod 4. In the NICE cryptosystem, we consider only i < 0 and 
such that 1 = 1 mod 4. 

Order of a Quadratic Field. An order in is a subring of which as a Z- 
module is finitely generated and of maximal rank = ( ) • Every element of 

an order is an algebraic integer. If is a quadratic field of discriminant i, then 
every order of has discriminant ^ i, where is a positive integer called 
the conductor of the order. Conversely, if q is any non-square integer such that 
q = 0 or 1 mod 4, then q is uniquely of the form 5=^1 where 1 is a 
fundamental discriminant, and there exists an unique order of discriminant 
1 - 

Maximal Order. Let be the order of discriminant q. It can be written as 

= Z -I- Z where = is related to Oai by the relation 

OAg = Z -I- Oai and we have Oa^ C Oai ■ We call Oai the maximal order. It 
is the ring of integers of the quadratic field Q(V 1 ). 
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Ideals of a Quadratic Order. An ideal a of can be written as 



a = 

where G Z, >0, G Z, 

The norm of the ideal is defined as (a) = . When = 1, we say that a is 

primitive and we represent it by the pair ( ). 

Two ideals a, b G Oa^ are called equivalent if there exists a G 0 \ such 
that aa = b. We denote this relation by a ~ b. For any element 7 G Oa^ the 
ideal jOa^ is called a principal ideal. If a and b are two principal ideals, they 
are equivalent. 

For a primitive ideal, we say that a = ( ) is reduced if and if only 

||< < =(^— 9) 4 and moreover > 0 when = or = | |. There 
exists a unique reduced ideal in the equivalence class of an ideal a, denoted by 
An algorithm to compute from a is described in [3, p238]. 

The reduction algorithm works as follows in the quadratic order of discrimi- 
nant : We start with an ideal ( ) with — < < and proceed by successive 

steps. In each step, we replace ( ) by ( ' ') where ' = ^ and ' satisfies 

— = '-I-2 ' with — '< '< '. When it reaches a reduced ideal, the algorithm 
stops. 

For any reduced ideal a = ( ), < -^/j q\ 3. Conversely, for a primitive 

ideal, if < a/] q\ 4, then a is reduced. 

Class Group. The ideals of Oa^, respectively Oai, whose norm is prime to / 
form an Abelian group. They are called ideals prime to /. We denote this group 
by lAgif), respectively IaiH)- If is a prime and i/j i| 3 < , then all the 
reduced ideals in Oai have a norm prime to . From now on, we will suppose 
that this is the case. 

In Oa,, the principal ideals prime to 
it by Ag{ )■ The quotient group lAg ( ) 
and denoted by l{ q). 

We can consider the following map: 

a 

q is a surjective group morphism. 

We can also defined a restricted inverse map, denoted . 

q^{A ) = (g 1 mod 2A) 

We have indeed q{ ^^(a)) = zii(ci)- Conversely, for an ideal 

a = ( ) G OAg such that < ^/\ i| 4, we have 9(a)) = a. However, 

if > \/r i| 4, we may have ^ 9(a)) yf a. Our attack relies on this obser- 

vation. 



form a subgroup of lAg{ )• We denote 
Ag{ ) is called the class group of OAg 



K 1 ) 

Ai{(^Oai) 



vT 



> 0, and G Z such that ^ = q mod 4 . 
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How to Compute ipq. Let q be the map between the primitive ideals of 
and the primitive ideals of Oai defined by ^(a) = aOAi- We clearly 
have q = Aii 9)- To compute ^(a) from a = ( ), proceed as follows: 

q{ ) = (A ) where A = and + 01/ = 2 + with — < < , 

o = q mod 2, 1 = /i +v for /i,i/ G Z. To compute 9(a), we must then apply 
to {A ) the reduction algorithm described in section 2.1. 

2.2 Description of the Cryptosystems 
Description of NICE. 



The Key Generation. The key generation consists in generating two random 
primes , > 4 with = 3 mod 4 and 3 < . We then let 

_ _ 2 

and choose an ideal p in l{ q), where ^(p) = lcl(A^)■ To generate such a p, 
proceed as follows: choose a number a G OA^ with norm less than ^J'\ q\ 4, com- 
pute the standard representation of the ideal aO^i and compute 

Let and I be the bit lengths of [a/] i| 4J and ~ respectively, where 

is the Kronecker symbol. The public key is (p q 1) and the secret key 
is ( 1 ). None of the maps q, q, are public. 

Encryption and Decryption Proceedings. A message is represented by an ideal m, 
where m is reduced in l{ q) and log2 (m) < , which means that ^(m) is also 
reduced in l{ 1). The embedding of a message into an ideal that represents 
it may be done as follows: let be the message and t a random number of 
length — 2 — [log2 J + 1- We determine the smallest prime larger than the 
concatenation of and t as bit strings with = 1- Then we need to compute 

such that q = mod 4 , — < < . Our message is finally encoded as 

m= ( ). 

We encrypt the message by computing c = zi_j(mp’’), where is a random 

I — 1 bit integer. 

To decrypt, we compute t = q{c). 

Since 

9(mp’') = q{m) q{p^) = q{m) 

the plaintext is then m = 

Note that this is a probabilistic encryption and the multiplication by p’’ 
allows to choose a random pre-image of q (m) by q . 
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Description of HJPT. In this cryptosystem, the encryption is done completely 
analogous to ElGamal encryption [4] in the non-maximal order Oa,- All ideals 
are chosen prime to . The public parameters are the discriminant g, an ideal 
g G OAg, called the base ideal, and an ideal a G Oa^ such that a = 
where is a random integer G [2 [-y/ ij]. The secret key is and . 

We embed the message in an ideal m G Oa, as in NICE, select an integer 
and compute (rii n2) where ni n2 are reduced ideals in Oa^ and 

ni = 

it2 = 

We require (m) < 4 in order to uniquely decrypt the message m. 

The decryption works in the maximal order Oai- We compute: 

^1 = 

^2 = 9(^2) 

m= -i(OT) 



tn is the decoded message. 



Security Considerations. The security of the cryptosystems depends on the 
difficulty of factoring the discriminant q. If it can be factored, the cryptosys- 
tems are clearly broken. 

To prevent a direct factorization of q using general methods such as the 
number field sieve or the elliptic curve method, the authors suggest that we 
choose and larger than 256 bits. Although q is of the special form 
there exists no dedicated algorithm better than the general ones. They conclude 
that their system is secure against attacks by factorization. 

The authors also prove that nobody can compute q{ ) without the knowl- 
edge of the conductor . That means that it is not possible to recover the message 
from the coded ideal without the knowledge of the factors of q. 

Concerning NICE, Paulus and Takagi then argue that the knowledge of p 
does not substantially help to factor q. A possible attack would be to find an 
ideal f power of p in Oa^ such that ~ 1 and f 1, however the only apparent 
way to do that is to compute the order of p in the group l{ q) which is much 
slower to do than factoring q with the available algorithms. 

In [8] , Paulus and Takagi also claim that the chosen-ciphertext attack is not 
applicable to their cryptosystem and give a few observations . 
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3 The Chosen-Ciphertext Attack 

In this section, we study more precisely the question of the chosen-ciphertext 
attack. As claimed in section 2.2, the knowledge of one coded message and 
the corresponding decrypted message is indeed not sufficient for factoring q. 
However, we show that with two chosen ciphertexts, factoring q becomes easy. 

Both cryptosystems use the following property of the canonical surjection to 
recover the message after encryption: 

(m)) = m if (m) < a/| 

Conversely, the attack uses the fact that 

(mjjyfmif (m) > a/| i| 3. 

3.1 Relation Involving a Single Chosen Ciphertext 

The main idea behind our attack is to use a message m slightly longer than 
proper messages and hope that in Oai the corresponding ideal will be a single 
reduction step away from a reduced ideal. Note that after multiplication by 
a power of p (in NICE) or a (in HJPT), there is no way for the deciphering 
process to distinguish a correct ciphertext from an incorrect one, and thus to 
detect this attack. Of course, if one add some verification bits to the message, 
then it becomes feasible to make this distinction. This will be further discussed 
in section 3.3. In order to attack the system we need to make explicit the relation 
between the original message and the decoded message. 

Let m = ( ) G l{ q) be a message such that 

It means that q(m) is not reduced in Oa^- If we further suppose that a single 
reduction step is needed to reduce ^(Tn), we can make precise the relation 
between m and ~^( (m)). 

We apply the decryption algorithm and one reduction step as described in 
section 2.1 to m and instead of finding m, we obtain m' = ( ' ') where ( ' ') 

satisfies: 

r / ^ N^-Ai 

J 4m 

\ - (mod 2 ') 

and is an integer that satisfies — < < . 

3.2 How to Find a Suitable Ciphertext 

In order to be sure that a given message ( ) will not be reduced in i) 

we need to take > ^/\ i| 3. Moreover, from [3, p239], we know that if ( ) 

is an ideal of OA^ such that — < < and < ^/\ jj. Then either ( ) 
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2 A 

is already reduced, or the ideal ( ) where = ” and — = 2 + with 

— < < , obtained by one reduction step, will be reduced. 

In order to be sure that our ciphertext will have the described properties, we 
need to choose as follows: 

v1 iM < < v1 Jj. 

Since we can estimate i to be approximately -y/j should be of the 

size of -y/l Moreover, the maximum size of possible messages, that is the bit 
length of L\/| i| 4J, is public, thus giving us the bit length of i/j i| 3. With 
this information, we need only two ciphertexts in the correct range to break 
the system. However, if the given maximum size has been underestimated, it 
may be that our first try for we will still be in the allowed range of correct 
decryption. We may thus have to decrypt a few more messages, multiplying steps 
of -\/3 before finding a suitable 



3.3 Using Two Chosen Ciphertexts 



With only one pair (tn m') we cannot find i, but with two such pairs (mi m'l), 
(m 2 m^), we have: 

r , ^ N^-Ai 

J 1 4mi 

) , _ N^-Ai 



4:1712 



and then: 

We need to find 
equation: 

Let = 1+2 



— 1 — 4: I I 1 — 4 2 2 

1 , 2 - That means we have to find an integer solution of the 

A 'A ' _ 2 2 

4l 1-42 2- 1- 2- 
= 1 — 2 and =4 i i— 4 2 2 > ^duation now is: 



2 

2 ■ 



where is known and , unknown. Once is found, we can easily compute 
1 , 2 and . Since is a factor of , it suffices to factor and try every 

divisor as a possible value for . Since the number of factors of is quite 
small, the possible can be tested in a reasonable amount of time. When 
4 1 (— 1=4 2 2 ~ 2 i there is a high probability that we have found the 

correct . We just need to check that this value of 1 divides q. 

The size of is approximately the size of ^ . As we choose approximately 
of size -^/j J, the size of is -^/j J. With the parameters given in [8] , , and 
all have 256 bits, thus is easy to factor and the attack succeeds. 

If we want to prevent the attack from succeeding, we need a size for that 
prevent its factorization. Since is an ordinary number, it may well have many 
small factors. Moreover, using more ciphertexts, we may choose between many 
values of one that factors easily. This means that, for the algorithms to be 
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secure, should have at the very least 768 bits. We would then have keys of 
2304 bits. 

To repair the cryptosystem, one could add redundancy to the plaintext, be- 
fore encryption. If after decryption, the obtained message does not have this re- 
dundancy, the output is discarded, thus preventing someone from feeding wrong 
messages to the decryption algorithm. However, this should preferably be done 
in a provably secure way. Ideas from the OAEP work of Bellare and Rogaway [I] 
may be of use. However, as usual with this approach, it will decrease the number 
of information bits in the message. 

4 Example 

The example described in this section is based on the NICE cryptosystem. In [8], 
it is suggested that security should be assured for the factorization attack if 
and are larger than 256 bits and if q is larger than 768 bits. In our example, 
we took q of 770 bits, a of 256 bits and a of 257 bits. 

Public key: 

q = -100113361940284675007391903708261917456537242594667 
4915149340539464219927955168182167600836407521987097 
2619973270184386441185324964453536572880202249818566 
5592983708546453282107912775914256762913490132215200 
22224671621236001656120923 

P = ( ) 

= 570226877089425831816858843811755887130078318076 
9995195092715895755173700399141486895731384747 
= -33612360405827547849585862980179491106487317456 
05930164666819569606755029773074415823039847007 
Messages used for the attack: 

mi = ( 1 i) 

1 = 580951478417429243174778727763020568653 

1 = 213263727465080837260496771081640651435 

m2 = ( 2 2) 

2 = 580951478417429243174778727763020568981 
2 = 551063505588645995299391690184984802119 

Decoded messages: 

m'i = ( ; '1) 

'1 = 83456697103393374949726594537861474869 
'1 = 78671653231911323093405599718880172057 
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11^2 — ( 2 2) 

2 = 83136382696910204396967308875383697767 
'2 = -79913230277300059043936659928820912889 

That gives us a value for : 

= 74434851201919726011132921747267789727706 
6007928155103527580608870278064120 

is factored into: 

= 2^ * 3 * 5 * 11 * 211 * 557 * 4111 * 155153 * 24329881 
*28114214269943 * 413746179653057 
*26580133430529627286021 

For the following values of and : 

= 2^ * 5 * 11 * 211 * 557 * 4111 * 155153 * 24329881 
*413746179653057 

= 166012950016425480566224036606412677340 
= 2 * 3 * 28114214269943* 26580133430529627286021 
= 4483677399537510200981356685786200818 



We found: 

= 1866698912741534378741757081805032596542815931 
03800953935381353078144162357587 

5 Conclusion 

Since the discrete logarithm problem in the class group of imaginary quadratic 
order is a difficult problem (see [6]), it was tempting to build public key cryp- 
tosystems on it. However, for performance sake, it was necessary to add more 
structure, and make use of the canonical surjection from O^g to Oai- Unfor- 
tunately, this additional structure opens a way to the chosen-ciphertext attack 
that was described here. 

Nonetheless, the discrete logarithm in class groups is an interesting problem 
that might yet find other applications to public key cryptography. 
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Abstract. The security of many recently proposed cryptosystems is 
based on the difficulty of solving large systems of quadratic multivariate 
polynomial equations. This problem is NP-hard over any field. When 
the number of equations m is the same as the number of unknowns n 
the best known algorithms are exhaustive search for small fields, and a 
Grobner base algorithm for large fields. Grobner base algorithms have 
large exponential complexity and cannot solve in practice systems with 
n > 15. Kipnis and Shamir [9] have recently introduced a new algorithm 
called “relinearization”. The exact complexity of this algorithm is not 
known, but for sufficiently overdefined systems it was expected to run in 
polynomial time. 

In this paper we analyze the theoretical and practical aspects of relin- 
earization. We ran a large number of experiments for various values of n 
and m, and analysed which systems of equations were actually solvable. 
We show that many of the equations generated by relinearization are lin- 
early dependent, and thus relinearization is less efficient that one could 
expect. We then develop an improved algorithm called XL which is both 
simpler and more powerful than relinearization. For all 0 < e < 1/2, and 
m > en^, XL and relinearization are expected to run in polynomial time 
of approximately Moreover, we provide strong evidence that 

relinearization and XL can solve randomly generated systems of polyno- 
mial equations in subexponential time when m exceeds n by a number 
that increases slowly with n. 



1 Introduction 

In this paper we consider the problem of solving systems of multivariate poly- 
nomial equations. This problem is NP-complete even if all the equations are 
quadratic and the field is GF(2). It has many applications in cryptography, since 

* An extended version of this paper is available from the authors. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 392-407, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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a large number of multivariate schemes had been proposed (and cryptanalysed) 
over the last few years. In addition, the problem arises naturally in other subar- 
eas of Mathematics and Computer Science, such as optimization, combinatorics, 
coding theory, and computer algebra. 

The classical algorithm for solving such a system is Buchberger’s algorithm 
for constructing Grobner bases, and its many variants (see, e.g., [1]). The algo- 
rithm orders the monomials (typically in lexicographic order), and eliminates the 
top monomial by combining two equations with appropriate polynomial coeffi- 
cients. This process is repeated until all but one of the variables are eliminated, 
and then solves the remaining univariate polynomial equation (e.g., by using 
Berlekamp’s algorithm over the original or an extension field). Unfortunately, 
the degrees of the remaining monomials increase rapidly during the elimination 
process, and thus the time complexity of the algorithm makes it often imprac- 
tical even for a modest number of variables. In the worst case Buchberger’s al- 
gorithm is known to run in double exponential time, and on average its running 
time seems to be single exponential. The most efficient variant of this algorithm 
which we are aware of is due to Jean-Charles Faugere (private communication 
[5,6]) whose complexity in the case of m = n quadratic equations is: 

— If if is big, the complexity is proved to be 0(2^”) and is 0(2^-^”) in practice. 

— When K =GF(2), the complexity is about 0(2^”) (which is worse than the 

0(2”) complexity of exhaustive search). 

In practice, even this efficient variant cannot handle systems of quadratic equa- 
tions with more than about n = 15 variables. 

In this paper we are interested in the problem of solving overdefined systems 
of multivariate polynomial equations in which the number of equations m exceeds 
the number of variables n. Random systems of equations of this type are not 
expected to have any solutions, and if we choose them in such a way that one 
solution is known to exist, we do not expect other interference solutions to occur. 
We are interested in this type of systems since they often occur in multivariate 
cryptographic schemes: if the variables represent the cleartext then we want the 
decryption process to lead to a unique cleartext, and if the variables represent 
the secret key we can typically write a large number of polynomial equations 
which relate it to the known public key, to the cleartexts, and to the ciphertexts. 

Grobner base techniques do not usually benefit from the fact that the number 
of equations exceeds the number of variables, since they proceed by sequentially 
eliminating a single monomial from a particular pair of equations. Unfortunately, 
this cryptographically important case received very little attention in the vast 
literature on Grobner base algorithms. To see that much better algorithms exist 
in this case, consider a system of n{n + l)/2 random homogeneous quadratic 
equations in n variables xi, ...x„. The well known linearization technique replaces 
each product XiXj by a new independent variable yij. The quadratic equations 
give a system of n{n + l)/2 linear equations in n{n + l)/2 variables which can 
be solved efficiently by Gauss elimination. Once we find all the yij values, we 
can find two possible values for each Xi by extracting the square root of yu in 
the field, and use the values of yij to combine correctly the roots of yu and yjj. 
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At Crypto 99, Kipnis and Shamir [9] introduced a new method for solving 
overdefined systems of polynomial equations, called relinearization. It was de- 
signed to handle systems of quadratic equations in n variables where e is 
smaller than 1/2. The basic idea of relinearization is to add to the given system 
of linear equations in the yij additional nonlinear equations which express the 
fact that these variables are related rather than independent. In its simplest 
form, relinearization is based on the commutativity of multiplication of 4-tuples 
of variables: For any a,b,c,d, {xaXb)(xcXd) = (xaXc)(xbXd) = (xaXd)(xbXc) and 
thus yabUcd = yacybd = yadybc- There are several generalizations of relineariza- 
tion, including higher degree variants and a recursive variant. The relinearization 
technique can solve many systems of equations which could not be solved by lin- 
earization, but its exact complexity and success rate are not well understood. 

In the first part of this paper, we analyse the theoretical and practical aspects 
of the relinearization technique. We concentrate in particular on the issue of the 
linear independence of the generated equations, and show that many of the 
generated equations are provably dependent on other equations, and can thus 
be eliminated. This reduces the size of the linearized systems, but also limits the 
types of polynomial equations which can be successfully solved by the technique. 

In the second part of the paper, we introduce the XL (extended Lineariza- 
tion) technique which can be viewed as a combination of bounded degree Grdbner 
bases and linearization. The basic idea of this technique is to generate from each 
polynomial equation a large number of higher degree variants by multiplying it 
with all the possible monomials of some bounded degree, and then to linearize 
the expanded system. This is a very simple technique, but we prove that it is 
at least as powerful as relinearization. We analyse the time complexity of the 
XL technique, and provide strong theoretical and practical evidence that the 
expected running time of this technique is: 

— Polynomial when the number m of (random) equations is at least en^, and 
this for all e > 0. 

— Subexponential if m exceeds n even by a small number. 

If the size of the underlying field is not too large, we can sometimes apply this 
subexponential technique even to an underdefined (or exactly defined) systems 
of equations by guessing the values of some of the variables and simplifying the 
resulting equations. 

2 Experimental Analysis of the Relinearization Technique 

In this part we concentrate on systems of randomly generated homogeneous 
quadratic equations of the form: 

aijkXiXj = bk, k=l...m (1) 

l<z<j<n 

The general idea of the relinearization method is to first use linearization 
in order to solve the system of m linear equations in the n{n + l)/2 variables 
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Vij = XiXj. The system is typically underdefined, and thus we express each yij 
as a linear combination of I < n{n + l)/2 new parameters ti, . . . ,ti. We then 
create additional equations which express the commutativity of the multipli- 
cation of Xi which can be paired in different orders. Let (a, b,c,d, . . . ,e, f) ~ 
{a' ,b' ,c' ,d' . ,e',f) denote that the two tuples are permuted versions of each 
other. Then: 



{XaXb){XcXd)...{XeXf) = {Xa' Xb'){Xc' Xd') ■ ■ -{Xe' X f') ( 2 ) 

This can be viewed as an equation in the yij variables, and thus also as an 
equation in the (smaller number of) parameters tg expressing them. The new 
system of equations derived from all the possible choices of tuples of indices and 
their permutations can be solved either by another linearization or by recursive 
relinearization. 



2.1 Degree 4 Relinearization 

We have applied the degree 4 relinearization technique to a large number of sys- 
tems of randomly generated homogeneous quadratic equations of various sizes. 
We always got linearly independent equations (except when the field was very 
small) . For several small values of n, the critical number of equations which make 
the system (barely) solvable is summarized in the following table: Assuming the 



Table 1. Fourth degree relinearization 



n 


m 


1 


n' 


m' 


6 


8 


13 


104 


105 


8 


12 


24 


324 


336 


10 


16 


39 


819 


825 


15 


30 


90 


4185 


4200 



n Number of variables in original quadratic system 
m Number of equations in original quadratic system 
1 Number of parameters in the representation of the yij 
n’ Number of variables in the final linear system 
m’ Number of equations in the final linear system 



linear independence of the derived equations (which was experimentally verified), 
we can easily derive the asymptotic performance of degree 4 relinearization for 
large n\ The method is expected to find the solution (in polynomial time) when- 
ever the number of equations exceeds en^ for e > 1/2 — l/v^ « 0.1. This case is 
thus well understood. 
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2.2 Higher Degree Relinearization 

The problem becomes much more complicated when we consider degree 6 relin- 
earizations, which are based on all the equations of the form: 



VabycdVef = yghVijVkh where (a, b, c, d, e, f) ~ {g, h, i, j, k, 1) (3) 

Note that these equations are cubic in the free parameters ts (even if the orig- 
inal equations are quadratic), so we need many more equations to relinearize it 
successfully. 

Unlike the case of degree 4 relinearizations, many of these equations were ex- 
perimentally found to be linearly dependent. We have identified several distinct 
causes of linear dependence, but its complete characterization is still an open 
research problem. 

We first have to eliminate trivial sources of linear dependence. We only have 
to consider 6-tuples of indices (a, 5, c, d, e, /) which are sorted into non-decreasing 
order within each successive pair (a, b), (c, d), (e, /), and then into non-decreasing 
lexicographic order on these pairs. For 6-tuples which contain 6 distinct indices 
such as (0,1, 2, 3, 4, 5), we get 15 (rather than 6! = 720) legal permutations: 

(0,1, 2,3, 4,5) (0,1, 2,4, 3,5) (0,1, 2,5, 3,4) 

(0,2, 1,3, 4,5) (0,2, 1,4, 3,5) (0,2, 1,5, 3,4) 

(0,3, 1,2, 4,5) (0,3, 1,4, 2,5) (0,3, 1,5, 2,4) 

(0,4, 1,2, 3,5) (0,4, 1,3, 2,5) (0,4, 1,5, 2,3) 

(0,5, 1,2, 3,4) (0,5, 1,3, 2,4) (0,5, 1,4, 2,3) 

so we can create 14 possible equations. But for the 6-tuple (0, 1, 1, 1, 1, 2), there 
are only 2 legal permutations (0, 1, 1, 1, 1, 2) and (0, 2, 1, 1, 1, 1) and thus we 
get only one equation. In general, there are 32 types of repetition of values in the 
given 6-tuple, and each one of them gives rise to a different number of equations. 
Table (2) summarizes the number of non-trivial equations which can actually be 
formed using 6-tuples for small values of n. 



Table 2. Number of non trivial equations defined by 6-tuples 



n 


equations 


4 


136 


5 


470 


6 


1309 


7 


3136 


8 


6720 


9 


13212 


10 


24255 


11 


42108 


12 


69784 


20 


1388520 
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2.3 Eliminating Redundant Linear Equations 

In this section we show that most of the non-trivial equations defined so far are 
redundant, since they can be linearly derived from other equations. Consider a 
typical non-trivial equation generated by degree r relinearization: 

Vili-zViiii ■ ■ -yir-lir ~ Vjlj-zVjiji ' ' ' %'r-ljr / A\ 

with (zi, . . . ~ (jl, ... ,jr) ^ 

We call such an equation special if the lists of y’s are the same on both 
sides of the equation, except for exactly two y’s whose indices are permuted. For 
example, the non-trivial equation 



2/0iy23?/45y67y89 = yoi2/272/36y45y89 (5) 

is special since 3 out of the 5 terms are common in the two expressions. For 
large n only a small fraction of the equations are special, but we can prove: 

Lemma: The set of special equations linearly span the set of all the non- 
trivial equations for the same relinearization degree. 

Proof (sketch) : Consider two particular permutations A and B of the same 
r-tuple of indices, which define one of the possible equations. A basic property 
of permutation groups is that any permutation can be derived by a sequence 
of transpositions which affect only adjacent elements. Consider the pairing of 
consecutive indices which defines the sequence of y’s. Applying a single transpo- 
sition of adjacent indices can permute the indices of at most two y’s, and thus 
we can derive the equality of the product of y’s for any two permuted versions of 
some subset of indices from the transitivity of the equality in special equations. 

To further reduce the number of equations, recall that each yij variable is a 
linear combination of a smaller number of parameters tg. Instead of having all 
the possible common products of yij variables on both sides of the equation, it 
suffices to consider only common products of tg parameters, since each product 
of the first type is expressible as a linear combination of products of the second 
type. We can thus consider only the smaller number of equations of the form: 

yabycdletf ' ' ' I'g = yacybd^el f ' ' ' Ig = yadybAelf ' ' Ag (6) 

The common t’s on both sides of the equation seem to be cancellable, and 
thus we are led to believe that degree r relinearization is just a wasteful repre- 
sentation of degree 4 relinearization, which can solve exactly the same instances. 
However, division by a variable is an algebraic rather than linear operation, and 
thus we cannot prove this claim. The surprising fact is that these seemingly un- 
necessary common variables are very powerful, and in fact, they form the basis 
for the XL technique described in the second part of this paper. As a concrete 
example, consider a slightly overdefined system of 10 quadratic equations in 8 
variables. Experiments have shown that it can be solved by degree 6 relineariza- 
tion, whereas degree 4 relinearizations need at least 12 quadratic equations in 8 
variables. Other combinations of solvable cases are summarized in table 3. 
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As indicated in this table, even the equations derived from special equations 
are still somewhat dependent, since we need more equations than variables in the 
final linear system. We have found several other sources of linear dependence, 
but due to space limitations we cannot describe them in this extended abstract. 



Table 3. Experimental data for degree 6 relinearization 



n 


m 


1 


n’ 


m” 


4 


8 


2 


9 


9 


4 


7 


3 


19 


19 


4 


6 


4 


34 


40 


4 


5 


5 


55 


86 


5 


9 


6 


83 


83 


5 


8 


7 


119 


129 


5 


7 


8 


164 


215 


5 


6 


9 


219 


443 


6 


10 


11 


363 


394 


6 


9 


12 


454 


548 


6 


8 


13 


559 


806 


6 


7 


14 


679 


1541 


7 


11 


17 


1139 


1363 


7 


10 


18 


1329 


1744 


7 


9 


19 


1539 


2318 


8 


12 


24 


2924 


3794 


8 


11 


25 


3275 


4584 


8 


10 


26 


3653 


5721 


9 


13 


32 


6544 


9080 


9 


12 


33 


7139 


10567 


9 


11 


34 


7769 


12716 



n Number of variables in the original quadratic system 
m Number of equations in the original quadratic system 
1 Number of parameters in the representation of the yij 
n’ Number of variables in the final linear system 

m” number of equations which were required to solve the final linear system 



3 The XL Algorithm 



We present another algorithm for solving systems of multivariate polynomial 
equations called XL (which stands for extended Linearizations, or for multipli- 
cation and linearization). As we will see, each independent equation obtained by 
relinearization exists (in a different form) in XL, and thus XL can be seen as a 
simplified and improved version of relinearization. 
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Let K he & field, and let ^ be a system of multivariate quadratic equa- 
tions Ik = 0 m) where each Ik is the multivariate polynomial 

The problem is to find at least one solution x = {xi, . . . , x„) G iL”, for a 
given 6 = ( 6 i, G 

We say that the equations of the form 0^=1 * k = 0 are of type x^l, 

and we call x^l the set of all these equations. For example the initial equations 
2q = A are of type 1. 

We also denote by x^ the set of all terms of degree k, Ilj=i ^ij • It is a slightly 
modified extension of the usual convention x = (xi, . . . , x„). 

Let D G IN. We consider all the polynomials * h of total degree < D. 

Let Xd be the set of equations they span. Jd is the linear space generated 
by all the x^l, 0 < k < D — 2. 

Id Cl, 2 being the ideal spanned by the U (could be called Xoo)- 
The idea of the XL algorithm is to find in some 2d a set of equations which 
is easier to solve than the initial set of equations 2q = A. As we show later, the 
XL algorithm with maximal degree D completely contains the relinearization 
technique of degree D. 

Definition 1 (The XL Algorithm) Execute the following steps: 

1. Multiply: Generate all the products Y[j=i * k & T-d with k < D — 2. 

2. Linearize: Consider each monomial in Xi of degree < D as a new variable 
and perform Gaussian elimination on the equations obtained in 1. 

The ordering on the monomials must be such that all the terms containing 
one variable (say x\) are eliminated last. 

3. Solve: Assume that step 2 yields at least one univariate equation in the 
powers ofxi- Solve this equation over the finite fields (e.g., with Berlekamp’s 
algorithm) . 

4 . Repeat: Simplify the equations and repeat the process to find the values of 
the other variables. 

The XL algorithm is very simple, but it is not clear for which values of n and 
m it ends successfully, what is its asymptotic complexity, and what is its rela- 
tionship to relinearization and Grdbner base techniques. As we will see, despite 
it’s simplicity XL may be one of the best algorithms for randomly generated 
overdefined systems of multivariate equations. 

Note 1: The equations generated in XL are in x’^l and belong to 2, the 
ideal generated by the U. There is no need to consider more general equations 
such as if since they are in X 4 and are thus in the linear space generated by the 
equations of type x"^! U xlC 1. 

Note 2 : Sometimes it is more efficient to work only with a subset of all 
the possible monomials. For example, when all the equations are homogeneous 
quadratic equations, it suffices to use only monomials of odd (or even) degrees. 

Note 3: A related technique was used by Don Coppersmith to find small 
roots of univariate modular equations [2] . However, in that application he used 
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LLL rather than Gauss elimination to handle the generated relations, and re- 
lied heavily on the fact that the solution is small (which plays no role in our 
application). 

4 A Toy Example of XL 

Let /i yf 0. Consider the problem of solving: 

f xf + ^xiX2 = a (4.1) 

( X2 -I- VX 1 X 2 = P (4.2) 

For D = A and even degree monomials, the equations we generate in step 1 
of the XL algorithm are I U x^l. Those are the 2 initial equations and 6 = 2*3 
additional equations generated by multiplying the initial 2 equations U by the 3 
possible terms of degree 2: xl,xiX 2 ,X 2 € x^. 

xf + /J-xfx 2 = axf (4.3) 
xfx2 + vx\x2 = Px\ (4.4) 
x\x\ + ^X\X2 = Oix\ (4.5) 
x\ -I- VX 1 X 2 = Px 2 (4.6) 
xfx2 + ^ix\x2 = ax\X2 (4.7) 

^ a;ia;2 + vx\x"^ = Px\X2 (4.8) 

In step 2 we eliminate and compute: 

From (4.1): X 1 X 2 = ^ ~ 

From {4.2):xl = iP-^)+!^xl 

From (4.3): xfx 2 = ^x\ - 

From (4.4): x\xl = {P - ^)xl + ^xf; 

From (4.8): x,xl = f + (^f - _ ^^4. 

From (4.6): x ^2 = (P^ - ^) + (^ + p^^ - ^)x\ + ^xf; 

Finally from (4.5) we get one equation with only one variable xi: 

oP + x\{a^v — P^"^ — 2a) + x\{l — ^v) = 0. 

5 Experimental Results on XL 

5.1 Experimental Results with m — n over GF(127) 

When m = n our simulation has shown that we need D = 2” in order to be able 
to solve the equations (so the algorithm works only for very small n) . 

An explanation of this is given in the Sect. 6.2. 




Solving Overdefined Multivariate Equations 401 
3 variables and 3 homogenous quadratic equations, GF(127) 



XL equations 


Z\ 


B 


XL unknowns (B degrees) 


type 


Free/ All 


(Free+B-T-l) 




T 


type 


1 


3/3 


-3 


1 


6 


x^ 


xl U 1 


12/12 


-5 


3 


19 


x^ U x'^U X 


x^l U xl 


30/39 


-2 


3 


34 


x^ U x^U X 


x^l U x^l U xl 


66/102 


-1 


4 


70 


U a;® U U a; 


x^l U xH U x^l U 1 


91/150 


0 


4 


94 


a;® U a;® U a;^ U x'^ 


x'^l U x^l U x^l U xl 


121/210 


0 


5 


5 


125a;® U a;^ U a;® U a;® U a; 


x^'^l U x^^l U x^^l U . . . 


821/1845 


4 


9 


825 


a;^® U a;^^ U x^^ U . . . 



4 variables and 4 homogenous quadratic equations, GF{127) 



XL equations 


Z\ 


B 


XL unknowns (B degrees) 


type 


Free/ All 


(Free+B-T-l) 




T 


type 


1 


4/4 


-6 


1 


10 


a;^ 


x'^l U x^l U 1 


122/184 


-5 


3 


129 


a;® U a;'‘ U a;® 


x^l U x^l U xH U x^l U 1 


573/1180 


-3 


5 


580 


a;^®Ua;®Ua;®Ua;^Ua;® 


x^'^l U x^^l U a;^®^ U . . . 


3044/7280 


-2 


14 


3059 


a;^^ U . . . 


x^'^l U x^H U a;^®^ U . . . 


2677/6864 


0 


8 


2684 


a;^® U a;^^ U a;^® U . . . 



T: number of monomials Z\ > 0 when XL solves the equations, {A — Pree+B-T-1) 

B: nb. of monomials in one variable e.g. x± Free/All: numbers of free/all equations of given type 



5.2 Experimental Results with m — n 1 over GF(127) 

When m = n + 1 our simulations show that we have to take D = n in order to 
obtain Z\ > 0 and be able to solve the equations. 

4 variables and 5 homogenous quadratic equations, GF(127)| 



XL equations 


Z\ 


B 


XL unknowns (B degrees) 


type 


Free/ All 


(Pree+B-T-1) 




T 


type 


1 


575 


-4 


1 


10 


x^ 


xl U 1 


25/25 


-8 


3 


34 


a;® U a;® U a; 


x'^l U 1 


45/^5 


1 


2 


45 


a;^ U a;® 



8 variables and 9 homogenous quadratic equations, GF(127) 



XL equations 


A 


B 


XL unknowns (B degrees) 


type 


Free/ All 


(Pree+B-T-1) 




T 


type 


1 


979 


-27 


1 


36 


x^ 


x^l U 1 


297/333 


-68 


2 


366 


x'^ U a;® 


xH U x^l U 1 


2055/3303 


-25 


3 


2082 


a;® U a;^ U a;® 


x^l U x^l U xl 


4344/8280 


-5 


4 


4352 


a;^ U a;® U a;® U a; 


x^l U x^l U x^l U 1 


8517/18747 


3 


4 


8517 


a;® U a;® U a;^ U x® 



T: number of monomials zi > 0 when XL solves the equations, (A = Pree+B-T-1) 

B: nb. of monomials in one variable e.g. x± Free/All: numbers of free/all equations of given type 
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5.3 Experimental Results with m — n + 2 over GF(127) 

In case m = n + 2 it may be possible to take D = ^/n + C but the data is 
still inconclusive. We are currently working on larger simulations, which will be 
reported in the final version of this paper. 



8 variables and 10 homogenous quadratic equations, GF(127) 



XL equations 


Z\ 


B 


XL unknowns (B degrees) 


type 


Free/ All 


(Free+B-T-1) 




T 


type 


1 


ToFo 


-26 


1 


36 


x^ 


x'^l U ^ 


325/370 


-40 


2 


366 


U 


x^l U xl 


919/1280 


1 


3 


920 


X® U x^ U X 



9 variables and 11 homogenous quadratic equations, GF(127) 



XL equations 


Z\ 


B 


XL unknowns (B degrees) 


type 


Free/ All 


(Free+B-T-1) 




T 


type 


1 


TT7n 


-34 


1 


45 


x^ 


x^l U xl 


1419/1914 


-40 


3 


1461 


X® U x^ U X 


xH U x^l U 1 


3543/5951 


2 


3 


3543 


X® U x^ U x^ 



T: number of monomials > 0 when XL solves the equations, {A — Pree+B-T-1) 

B: nb. of monomials in one variable e.g. x± Free/All: numbers of free/all equations of given type 



6 Complexity Evaluation of XL 

Given m quadratic equations with n variables, we multiply each equation by all 
the possible a;,, • . . . • The number of generated equations (of type 

is about a = (^_ 2 )\ ' while we have about P = ^ linear variables of type 
x^Ux^-"^. 

If most of the equations are linearly independent in XL (we will comment on 
this critical hypothesis below), we expect to succeed when a> P, i.e. when 



m > 



D{D - 1) 



( 7 ) 



We get the following evaluation 




D > about 



(8) 
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6.1 Case m ^ n 



If m « n, and if we expect most of the equations to be independent, we expect 
the attack to succeed when D « ^/n. The complexity of the algorithm is thus 

D 

lower bounded by the complexity of a Gaussian reduction on about ^ variables, 
D « y/n. Its working factor is thus at least 



WF > 




UJ 



where w = 3 in the usual Gaussian reduction algorithm, and w = 2.3766 in 
improved algorithms. By simplifying this expression, we get the subexponential 
complexity bound of approximately: 



WF > 



Inn I ^ 



(9) 



Notes: 

— When n is fixed the XL algorithm is expected to run in polynomial time 
(in the size of K). 

— When K is fixed and n — > oo, the formula indicates that XL may run in 
sub-exponential time. We will see however that this is likely to be true only 
when m — n is “sufficiently” big while still m ~ n. This point is the object 
of the study below. 

6.2 Case m — n 

When m = n our simulation showed that D = 2” (instead of D « ^/n) . 

It is possible to give a theoretical explanation of this fact: If we look at the 
algebraic closure K of K we have generally 2” solutions for a system of n 
equations with n variables. So the final univariate equation we can derive should 
be generally of degree 2”. 

6.3 Case m — n 1 

For m = n+1 our simulations show that D = n (instead of ^/n) . The reason for 
this is not clear at present. 

6.4 Case m — n + C , C > 2 

For m = n + C,C> 2, it seems from our simulations that even for small values 
of C we will have D « -^/n. This remark will lead to the FXL algorithm below. 

In order to know for what value of C it is reasonable to assume that D « 
we need more simulations. Many of them will be included in the extended version 
of this paper, however given the limitated computing power available, the results 
does not give a precise estimation of C. 
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6.5 Case m — en^, e > 0 

Let 0 < e < 1/2 and m = en^. We expect XL to succeed when 

D^\l/V^. (10) 

The working factor is in this case WF ^ So the algorithm is ex- 

pected to be polynomial (in n) with a degree of about 

Remark: The fact that solving a system of e • equations in n variables was 
likely to be polynomial was first suggested in [9] . Despite the fact that the relin- 
earization is less efficient than what could have been expected, the complexity 
of solving en^ equations in n variables is still expected to be polynomial. 

7 The FXL Algorithm 

In our simulations it is clear that when m « n, the smallest working degree 
D decreases dramatically when m — n increases. For example, if m = n then 
D = 2", ifm = n-|-l then D = n, and if m is larger we expect to have D « yTi. 

We are thus led to the following extension of XL called FXL (which stands 
for Fixing and XL): 

Definition 2 (The FXL Algorithm) 

1. Fix n variables (see below for the choice of fi). 

2. Solve with XL the resultant system of m equations in n — yi variables. 

We choose the smallest possible ^ such that in step 2 we have D « yTi, in 
order to have minimal complexity in step 2. 

The complexity of the FXL algorithm is qVgcXninn^ have choices for 
/i variables in step 1, and XL is for D « ^/n. 

How yL increases when n increases is an open question. We can notice that 
if ^ = 0{y/n), then the complexity of the FXL algorithm would be about 
qO{^/n)^C^/nlnn^ .^^hich is approximately gC Xri(inn+inq) ^ Thus the FXL algorithm 
might be sub-exponential, even when m = n, but we have no rigorous proof of 
this conjecture. 

8 XL and Relinearization 

We have formally proved that the set of equations defined by a successful relin- 
earization of degree D is equivalent to a subset of equations derived from the XL 
algorithm with the same D. The proof is not difficult, but due to its length it will 
appear only in the extended version of this paper (available from the authors). 
It is based on a series of effective syntactic transformations on the system of 
equations C derived from the degree D relinearization of a given system of m 
quadratic equations in n variables. By eliminating redundant equations we get 
another system of equations T>, and by replacing each monomial in I? by a new 
variable, we get a final system of equations denoted by £. We then perform the 
following steps: 
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1. We replace C by another system C that contains the same equations written 
in a ‘special form’. We define the ‘special degree’ of such equations, and show 
that Special Deg{C') < D. 

2. We transform C to V . We show that V are the equations of T> written in 
the special form, with SpecialDeg{V ) < D. 

3. We transform T>' to S' , and show that S' C Id- 



Theorem 1 (Relinearization as a Subcase of the XL Algorithm.) LetC 
he the equations obtained in a successful relinearization of degree D of a system 
of m quadratic equations with n variables. Then we can effectively construct a 
set of equations S, that preserves the solvability of the system by Gaussian re- 
duction, along with it’s explicit expression S' as a subcase of the XL algorithm: 
S' C Id- 



In practice, XL is more efficient than relinearization. For example, to solve 
11 equations with 9 variables, relinearization requires the solution of a linear 
system with 7769 variables (see Table 3), whereas XL requires the solution of a 
system with only 3543 variables (see 5.3). Moreover, XL can use any D while 
relinearization can only use composite values of D. For example, to solve 10 
quadratic equations with 8 variables we had to use the relinearization algorithm 
with D = 6, but the XL algorithm could use the smaller value of I? = 5. 
Consequently, the system of linear equations derived from linearization had 3653 
variables, while the system of linear equations derived from XL had only 919 
variables (see 5.3). 



9 Grobner Bases Algorithms 



One way of implementing the XL algorithm is to combine the equations in an 
organised way, rather than to multiply them by all the possible monomials. This 
would naturally lead to the classical Grdbner-bases algorithms. 

We define Ixi^,...,xi. as a subspace of all the equations of I that can be 
written with just the variables a;q, ... ,Xi^. The XL method checks if there are 
any (univariate) equations in some (Id)xi- 

The Grobner bases algorithms construct a basis of a space of (univariate) 
equations in Ix-^ = Ufc(^fc)a;i- However in order to get there, they compute 
successively bases of the Ix^,... ,x^ for fc = n . . . 1. 

It is not clear what is the best way to use Grobner bases to solve our problem 
of overdefined systems of equations. A large number of papers have been written 
on Grobner base techniques, but most of them concentrate either on the case of 
fields of characteristic 0, or look for solution in an algebraic closure of K , and 
the complexity analysis of these algorithms is in general very difficult. 
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10 Cryptanalysis of HFE with XL/Relinearization 
Attacks 

The HFE (Hidden Field Equations) cryptosystem was proposed at Eurocrypt 
1996 [11]. Two different attacks were recently developed against it [3,9], but they 
do not compromise the practical security of HFE instances with well chosen pa- 
rameters. Moreover it does not seem that these attacks can be extended against 
variations of the HFE scheme such as HFEv or HFEv“ described in [8]. 

The first type of attack (such as the affine multiple attack in [11]) tries to 
compute the cleartext from a given ciphertext. It is expected to be polynomial 
when the degree d of the hidden polynomial is fixed, and not polynomial when 
d = 0{n). In [3] Nicolas Courtois presented several improved attacks in this 
category, with an expected complexity of rpd'n(d)) ig g^j^ j^ot polynomial) 

instead of the original complexity of 

A second line of attack tries to recover the secret key from the public key. The 
Kipnis-Shamir attack described in [9] was the first attack of this type. It is also 
expected to be polynomial when d is fixed but not polynomial when d = 0{n). 

To test the practicality of these attacks, consider the HFE “challenge 1” 
described in the extended version of [11] and in [4]. It is a trapdoor function over 
GF{2) with n = 80 variables and d = 96. A direct application of the FXL to 
these 80 quadratic equations requires Gaussian reductions on about 80®/9! « 2^® 
variables, and thus its time complexity exceeds the 2®° complexity of exhaustive 
search, in spite of its conjectured subexponential asymptotic complexity. The 
best attack on the cleartext (from [3]) is expected to run on “challenge 1” in 
time 2®^. The best attack on the secret key (from [9]) is expected to run in time 
2^®^ when XL is used, and to take even longer when relinearization is used. A 
possible improvement of this attack (from [3], using sub-matrices) runs in time 
2®^, which is still worse than the 2®® complexity of exhaustive search. 

11 Conclusion 

In this paper we studied the relinearization technique of Kipnis and Shamir, 
along with several improvements. We saw that in high degree relinearizations 
the derived equations are mostly linearly dependent, and thus the algorithm is 
much less efficient than originally expected. 

We have related and compared relinearization to more general techniques, 
such as XL and Grobner bases. We have proved that XL “contains” relineariza- 
tion and demonstrated that it is more efficient in practice. We also concluded 
that the complexity of solving systems of multivariate equations drops rapidly 
when the number of equations exceeds the number of variables (even by one or 
two) . Gonsequently, over a small field the FXL algorithm may be asymptotically 
subexponential even when m = n, since it guesses the values of a small num- 
ber of variables in order to make the system of equations slightly overdefined. 
However in many practical cases with fixed parameters m « n, the best known 
algorithms are still close to exhaustive search. 
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Finally, when the number of equations m and the number of variables n are 
related by m > for any constant 0 < e < 1/2, the asymptotic complexity 
seems to be polynomial with an exponent of 0(l/-\/e). 
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Abstract. In a series of papers Patarin proposes new efficient public key 
systems. A very interesting proposal, called 2-Round Public Key System 
with S Boxes, or 2R, is based on the difficulty of decomposing the struc- 
ture of several rounds of unknown linear transformations and S boxes. 
This difficulty is due to the difficulty of decomposing compositions of 
multivariate binary functions. In this paper we present a novel attack 
which breaks the 64-bit block variant with complexity about steps, 
and the more secure 128-bit blocks variant with complexity about 2®° 
steps. It is interesting to note that this cryptanalysis uses only the ci- 
phertexts of selected plaintexts, and does not analyze the details of the 
supplied encryption code. 



1 Introduction 

The search for efficient public key cryptosystems is as old as the idea of public key 
cryptosystems itself [1]. Many of the most efficient proposed schemes were based 
on multivariate polynomials [3,9,2], but they were usually broken later [8,10,4]. 
In a series of papers Patarin proposes new secure and efficient public key systems 
[5,6] based on hiding the structure of polynomials in a difficult-to-analyze en- 
cryption code, and analyzes other similar schemes [4] . One of his more promising 
scheme is the very efficient 2-Round Public Key System with S Boxes (shortly 
called 2R) [7]. The design of this scheme is unique as it uses techniques from 
symmetric ciphers in designing a public key cryptosystem, while still claiming 
security based on relation to the difficulty of decomposing compositions of mul- 
tivariate binary functions. 

Patarin’s public key cryptosystem with S boxes encrypts by performing the 
following secret operations on 64-bit or 128-bit plaintexts: 

1. Invertible linear transformation Lq 

2. First layer of 8 (or 16) 8x8-bit quadratic S boxes Si^, . . .S'!, 7, collectively 
denoted by 

3. Another linear transformation Li 

4. Second layer of S boxes 52,0, ■ ■ • 52,7, collectively denoted by S 2 
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Fig. 1. Outline of Patarin’s 2R scheme 



5. Final linear transformation L 2 

6. The ciphertext is C = E{P) = L 2 {S 2 {Li{Si{Lo{P))))) 

Figure 1 outlines this scheme. 

Only the owner of the system knows these transformations, and uses this 
knowledge for decryption. The publication of the system hides the structure by 
giving an equivalent description from which it is claimed to be very difficult to 
identify the original description, due to the difficulty of decomposing composi- 
tions of binary functions. 

In the rest of this paper we assume that the encryption function is given 
as an oracle (black box). Our analysis does not study the supplied code of the 
system, and does not try to decompose the binary function. On the contrary, 
it observes the full details of the function given only the ciphertexts of (many) 
selected plaintexts, which are encrypted using the supplied encryption function. 
Moreover, it does not rely on the quadraticness of the S boxes. 

A major observation is that the S boxes are not bijective. The designer claims 
that if the S boxes were bijective, the security of the system might had been 
compromised. Therefore, decryption is not unique, and some redundancy should 
be added to the plaintext to allow unique decryption^. 

In this paper we present the first cryptanalysis of this scheme, for which 
we received the prize promised by the designer for the first person to break this 
scheme. Later, Ye, Lam and Dai devised a different attack based on the algebraic 
structure of the scheme [11]. Their attack is less efficient than ours, although it 

^ Although an attacker may decide not to add this redundancy when he generates the 
ciphertexts used for the attack. 
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imposes more restrictions than we do (e.g., their attack would not work if the S 
boxes were not quadratic, while our attack is not very sensitive to the method 
used to construct the S boxes). 

Our attack can break the 2R scheme with complexity about 2^*^ when the 
block size is 64 bits. Moreover, it can also break the more secure variant with 
128-bit blocks with complexity about 2®°. 

This paper is organized as follows: In Section 2 we describe our main obser- 
vations and tools used later in the analysis, and in Section 3 we describe the 
attack. Section 4 discusses possible improvements of the scheme. The paper is 
summarized in Section 5. 



2 The Main Observations and Tools 

Our main observation is that the S boxes are not bijective, and thus outputs 
of different inputs to the same S box may collide. Given a pair of plaintexts, 
such S boxes which have different inputs in both encryptions but have the same 
outputs will be called active S boxes. Therefore, there exist many pairs P, P* 
of plaintexts for which the outputs of all the S boxes in the first round collide, 
which cause the ciphertexts to collide as well. Such collisions can be constructed 
as follows: For any S box St there exist pairs of 8-bit values Y and Y* such that 
Si,i{Y) = Si^i{Y*). Let X be a 64-bit value whose bits 8i, . . . ,8i+7 equal Y, 
and let X* be equal to X, except for these bits, whose value is replaced by Y* . 
Let P = Lq^(X) and P* = Lq^(X*). Then, the ciphertexts P(P) and E{P*) 
are equal. Figure 2 outlines the differences in pairs of encryptions. 

The attacker does not know the details of the linear transformation and the 
S boxes, and cannot construct collisions using this algorithm. However, if the 
attacker finds a collisions, he might be interested to know if the collision already 
occurs after the first level of S boxes, and if there is only one active S box. He 
can also be interested to know if there is a common active S box in two different 
colliding pairs. In the next subsections we present two algorithms which will be 
useful for this purpose. 

2.1 Algorithm A 

We observe that given a pair P, P* such that E{P) = E{P*), we can identify 
whether there is only one active S box in the first round (and none in the second 
round), or there are two or more active S boxes. This identification can be 
performed by the following algorithm: 

1. Given P and P* 

2. Repeat about 1000 times: 

(a) Select Q at random 

(b) Gompute Q* = Q (B P (B P* 

(c) Gheck whether E{Q) = E{Q*) 

3. Let q be the fraction of times with equality E{Q) = E{Q*) in the previous 

step 
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E(P) = E{P*) 



Fig. 2. Outline of the main observation 



4. If q > 1/256, output one- active- S-box, and conclude that there is only one 
active S box in the first round. 

5. Otherwise output several-active-S-boxes. 

This algorithm works since the differences in the inputs of the S boxes in the 
first round are the same for P and P* and for Q and Q* due to linearity. Thus, 

1. If there is a difference only in one S box for P and P* , so is for Q and Q* . 
Since Q is chosen randomly, and since there are 128 pairs of inputs to an S 
box with the particular difference, there is a probability of 1/128 that the 
pair of inputs of the active S box are the same in both pairs, and thus a 
fraction of at least 1/128 of the pairs of outputs collide in Q and Q* . The 
repetition 1000 times ensures that the probability of a wrong output is very 
small. 

2. If there are differences in the inputs of two or more S boxes in the first round, 
the expected q reduces to about 2“^™ or a small factor of it, where m is the 
number of S boxes with differing inputs. 

3. If the outputs of the first layer of S boxes of P and P* do not collide, but 
the ciphertexts do collide, the expected q is negligible (typically about 2“®° 
or less for 64- bit blocks). 
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2.2 Algorithm B 

We can also identify if two pairs Pi, Pf and P 2 , P^ which satisfy E{Pi) = E(P^) 
and E{P 2 ) = £^(^ 2 *) (^^nd collide already after the first round) have distinct 
active S boxes in the first round, or whether there is some common active S box: 

1. Given Pi, Pi*, £ 2 ,^ 2 * 

2. Compute Qi = Pi © P 2 © P| and Q* = P* © P 2 © P| 

3. Compute Q 2 = P 2 © Pi © Pi* and Q 2 = £2 ® Pi © P* 

4. If E{Qi) yf E{Q\) or £(< 32 ) 7 ^ £(Q 2 ) output common, and conclude that 
there exists a common active S box. 

5. If £(Qi) = £(Qi) and £(< 32 ) = £(<35) output distinct and conclude that 
the pairs have distinct active S boxes with a high probability. 

This algorithm should detect almost all cases of common active S boxes. If it 
does not detect as such, there is a high probability that there are no common 
active S boxes. 

This algorithm works, as the pairs <3i, <3* (and <32, <35) differ exactly in the 
same S boxes as of Pi, P* (P 2 , P 2 *, respectively). If there are no common active 
S boxes, the active S boxes in <3i, <3* (<32, <35) have exactly the same inputs as 
in Pi, P* (P 2 , P|), and thus the same collision occurs. If there is some common 
active S box, the inputs in <3i, <3* (<32, <35) different than in Pi, P* (P 2 , P|), 
and thus the probability of collision is small. 

3 The Attack 

3.1 Analyzing the First Linear Transformation 

The first step of the attack computes the ciphertexts of many random plaintexts, 
and collects pairs P, P* whose ciphertexts £(P), £(P*) are equal, and for which 
Algorithm A outputs one-active-S-box. 

Given such pairs we use algorithm B to divide them to eight sets, sorted by 
the active S box. We can use this result to find a basis for the differences P © P* 
of each set. The combination of all these bases form a basis for the plaintext 
space, which relates to the inputs of S boxes of the first round. In total we get 
eight sets, each consists of eight basis vectors. Each set of basis vectors affect a 
different S box in the first round. We cannot identify the order of the S boxes 
nor any transformation on the inputs of individual S boxes. Therefore, this basis 
is all the information we can get on the linear transformation Lq. Without loss 
of generality, all the rest of the definition of Lq can be viewed as part of the S 
boxes and their order. 

This step of the attack is the most complex: 2^^ random plaintexts are en- 
crypted by the attacker in order to find about 1000 random collisions. However, 
a careful analysis shows that due to the structure of the cipher, the number of 
collisions will be about 256 times higher, and about 4000 of these collisions will 
have only one active S box. Then, the application of Algorithm A to identify the 
pairs with one active S box requires about 256 • 1000 • 2000 = 2^® encryptions. 
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The application of Algorithm B to recover the basis takes a few thousands addi- 
tional encryptions. When applied efficiently, considering all the information we 
get during the analysis (such as a partial basis) and improvements to the attack 
(such as analysis of pairs with two or three active S boxes in the first round), 
the total complexity of this step can be reduced to below 

3.2 Analyzing the Last Linear Transformation 

In the next step of the attack we find a basis for the ciphertexts, related to the 
outputs of the eight S boxes in the second round. We observe that inputs to 
the first layer of S boxes which differ only in the inputs to one S box cause a 
difference in the output of this S box only. In turn, the output of Li has differ- 
ence in the inputs of most S boxes in the second round. In some cases however 
such differences do not affect about one or two S boxes in the second round. Al- 
though to overcome this weakness, designers might design linear transformations 
as multipermutations from the outputs of the S boxes in one round to the inputs 
of the S boxes in the next round, a similar property may occur when differences 
in pairs of S boxes in the first round lead to zero differences in the inputs of one 
(or a few) S boxes in the second round. 

Using the basis we got for the plaintexts, we can now control the inputs of 
selected S boxes in the first round. In particular, we can generate structures 
of many plaintexts with exactly the same value in the inputs to one (or two) 
S boxes in the first round, but with random values in the inputs to the rest 
of the S boxes. We can even generate pairs of S boxes in which 1) in all pairs 
one member has some fixed (but unknown) input F\ to one or two S boxes and 
the other member has some other fixed (but unknown) value F^, 2) these fixed 
values F\, F^ are fixed in all the pairs, 3) in each pair random values are selected 
for the inputs of the rest of the S boxes, and both members of the pair have the 
same values in all the rest of the S boxes. As an example for such pairs, the 
inputs of the S boxes in a pair can be {F\, Ri), (F2, i?i), where in another pair 
it is (Fi, i?2), (F2, R 2 ), and in a third pair it is (Fi, A3), (F2, A3), etc. Note that 
the input differences to the second layer of S boxes are fixed in all the pairs of 
a structure, and depend only on F\ 0 F2. 

In this step we generate many such structures, compute the ciphertext differ- 
ences, and compute a basis for the space spanned by the ciphertext differences. 
If there are differences in the inputs of all the S boxes in the second round, it 
is expected that the space spanned by the ciphertext differences is of dimension 
64. If there is one S box with zero difference the spanned space is expected to 
be with dimension 56 (and cannot be larger than 56). In general, it is expected 
that non-zero differences in the inputs to m S boxes in the second round lead to 
dimension 8m of the spanned space. It is also expected that in such case struc- 
tures of about 100 pairs (200 encrypted plaintexts) suffice to span all the space, 
and additional pairs rarely enlarge the spanned space. It is also expected that 
about one of every 256/8 = 32 structures lead to space of dimension less than 
64. In order to divide the space to the partial spaces inherited by the outputs 
of the S boxes, we need about 7-10 such structures, and thus we need in total 
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about 10 • 32 • 200 = 64000 encrypted plaintexts. At the end of this step we know 
all the possible information on L 2 , except for the information that can be viewed 
as part of the S boxes. 



3.3 Analyzing the Intermediate Layers 

Up to this point we showed how to remove the first and last linear transforma- 
tions. Using this information we can now find how many (effective) output bits 
of each S box in the first round affect each one of the inputs of the S boxes in 
the second round. This step is performed by encrypting 256 plaintexts for each 
S box in the first round, which contain all the possible inputs to the S box, and 
in which the inputs to all the other S boxes are fixed. We count the number 
of different outputs of each S box in the second round. If the count is 2™ (or 
slightly smaller) for some m, there is a high probability that the rank of the lin- 
ear transformation from the output of the S box in the first round to the input 
of (only) the S box in the second round is m. 

From the same data we can even find information on the values of the S 
boxes, as by looking at the outputs of the S boxes in the second round we can 
group inputs to the S box in the first round by the values of the m bits of its 
output that affect the S box in the second round. By correlating this information 
among several S boxes in the second round we can complete most information 
on the S boxes in the first round, including their values, and the actual bits that 
are transfered by Li to each S box. The only values that we cannot identify 
are the affine constants, which can be viewed as part of the second S box layer 
instead.^ It is now easy to complete the second layer of S boxes, as all the rest 
of the cipher is already recovered. 



4 Discussion 

A possible improvement is using bijective S boxes in the first layer of S boxes. 
This modification ensures that the first step of the attack is not applicable, 
although other attacks might become practical. This modification can be com- 
bined with an increased number of rounds using non-bijective S boxes to protect 
against other kinds of attacks that require at least two rounds of non-bijective 

5 boxes. 

If the first layer of S boxes remain non-bijective, the first step of the attack 
can still find the first linear transformation regardless of the number of rounds 
and the design of the other rounds. Therefore, such a variant of this scheme 
may starts with the layer of S boxes without a preceding linear transformation 
without affecting its security. In such a case we would propose using at least 
three layers of S boxes, each followed by a linear transformation to ensure that 

^ They can actually be eliminated, as the scheme is equivalent to a scheme in which 
the zero inputs to S boxes always have zero outputs, and the plaintext zero (or any 
other selected plaintext) is encrypted using only zero inputs of S boxes. 
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the rest of the attack is not applicable. However, adding layers come with an 
unacceptable penalty in the size of the public key and encryption speed. 

A promising improvement seems to discard the redundant input variables 
from the published equations, replacing them by their equivalent formulae in 
terms of other variables. In such a way Algorithm A might never output one- 
active-S-box in the first step of the attack. If in addition some of the 64 equations 
are also discarded, it seems that all the known attacks will not work. 

Remark: The authors of [11] propose that the S boxes should not be kept 
secret. However, if the S boxes are not secret, it would simplify the recovery of 
the linear transformations in our attack, giving more information to the attacker. 
We highly recommend to keep the S boxes secret, just as they should be in the 
original 2R scheme. 



5 Summary 

In this paper we proposed a practical attack, which is the first attack against 
Patarin’s 2-Round Public Key System with S Boxes. For a blocksize of 64 bits, 
the complexity of the attack is about 2^° encryptions (that the attacker can 
compute on his machine as this is a public key scheme) . The more secure variant 
with 128-bit blocks can be analyzed with complexity about 2®°. Efficient imple- 
mentations of the attack might even have marginally smaller complexities than 
these. 
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The Lorenz cipher system was used by the German Army High Command 
in World War II. It used a binary additive method for enciphering teleprinter 
signals. 

The Lorenz machine used 12 wheels each with a mutually prime number of 
small cams round its periphery, 501 in all. The wheels were geared together to 
ensure a very long repetition period. The task facing the code breaker was to 
find the patterns of cams round each wheel and the relative start positions to 
which the operator had turned the wheels before sending his message. 

The cryptographic structure of the Lorenz machine was given away by a 
catastrophic mistake made by a German operator on 30th August 1941. 

A special section was set up in Bletchley Park, the Allies code breaking 
establishment, to attack this cipher, codename “Fish” . Laborious hand methods 
were worked out which showed that it was possible but only with 4 to 6 weeks 
delay for deciphering each message. 

Professor Max Newman had ideas for automating and speeding up the break- 
ing. In March 1943 he approached Dr Tommy Flowers who started designing and 
building Golossus to meet Max Newman’s requirements for a machine to break 
Lorenz more quickly. Golossus was working by December 1943 and installed in 
Bletchley Park over Ghristmas 1943. It was working by January 1944 and suc- 
cessful in its first trial on a real cipher message. It reduced the time to break 
Lorenz from weeks to hours providing vital intelligence just in time for D Day, 
the invasion of Europe on 6th June 1944. 

After D Day 10 machines were built and working in Bletchley Park. Then at 
the end of the War eight machines were totally dismantled, two went to GGHQ 
at Gheltenham. These were destroyed in 1960 together with all the drawings of 
Golossus and its very existence was kept secret until the mid 1970’s. 

In 1991 Tony Sale and two colleagues started the campaign to save Bletchley 
Park from property developers. At this time he was restoring some early com- 
puters at the Science Museum in London. He thought it might be possible to 
rebuild Golossus and started gathering information. Eight wartime photographs 
and some fragments of circuit diagrams were recovered. He decided to have a go 
and had the basic Golossus working by 6th June 1996. 

Now four years further on Golossus is nearly completed and demonstrates 
the power of what is now recognised as the world’s first electronic programmable 
digital computer. 
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Abstract. We show that if any one-way function exists, then 3-round 
concurrent zero-knowledge arguments for all NP problems can be built 
in a model where a short auxiliary string with a prescribed distribution is 
available to the players. We also show that a wide range of known efficient 
proofs of knowledge using specialized assumptions can be modified to 
work in this model with no essential loss of efficiency. We argue that the 
assumptions of the model will be satisfied in many practical scenarios 
where public key cryptography is used, in particular our construction 
works given any secure public key infrastructure. Finally, we point out 
that in a model with preprocessing (and no auxiliary string) proposed 
earlier, concurrent zero-knowledge for NP can be based on any one-way 
function. 



1 Introduction 

In a zero-knowledge protocol [23] , a prover convinces a verifier that some state- 
ment is true, while the verifier learns nothing except the validity of the asser- 
tion. Apart from being interesting as theoretical objects, it is well-known that 
zero-knowledge protocols are extremely useful tools for practical problems. For 
instance as stand-alone for identification schemes^ , but probably a more impor- 
tant application is as subprotocols in schemes for more complex tasks such as 
voting, electronic cash and distributed key generation. 

Hence the applicability of the theory of zero-knowledge in real life is of ex- 
treme importance. One important aspect of this is composition of protocols, and 
the extent to which such composition preserves zero-knowledge. While sequen- 
tial composition does preserve zero-knowledge, this is not always the case for 
parallel composition [22] . 

In [12] Dwork, Naor and Sahai pointed out that the strict synchronization 
usually assumed when composing zero-knowledge protocols is unrealistic in sce- 
narios such as Internet based communication. Here, many instances of the same 

* Basic Research in Computer Science, Center of the Danish National Research Foun- 
dation 

^ However, the identification problem can also be solved without using zero- 
knowledge [2] 
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or different protocols may start at different times and may run with no fixed 
timing of messages. What is needed here is a stronger property known as con- 
current zero-knowledge, i.e., even an arbitrary interleaving of several instances 
of zero-knowledge protocols is again zero-knowledge, even when the verifiers are 
all controlled by a single adversary, who may use information obtained from one 
protocol to determine its behavior in another instance. 

Unfortunately, standard constructions for zero-knowledge protocols fail to 
provide this property. This is because they are based on simulation by rewinding 
the verifier. In a concurrent setting, the simulator may be forced to rewind an 
exponential number of times. In fact, it seems that concurrent zero-knowledge 
cannot be provided at all in the usual model with as few rounds as ordinary 
zero-knowledge. Kilian, Petrank and Rackoff [19] show that only BPP languages 
have concurrent zero-knowledge proofs or arguments with 4 rounds or less, if 
black-box simulation is assumed^ . 

Thus, a lot of research has gone into finding ways of getting around this 
problem. In [12], it was shown that given constraints on the timing of messages^, 
concurrent zero-knowledge can be achieved for all of NP in a constant number 
of rounds. Subsequently it was shown that the need for timing constraints could 
be pushed into a preprocessing phase [13]. In [10] it was shown that the timing 
constraints in the preprocessing can be reduced to merely ensuring th at all 
preprocessings are finished before the main proofs start. This comes at the price 
that the work needed in the preprocessing depends on the size and number of 
statements to be proved later. Finally, Richardson and Kilian [26] show that it 
is possible to do without timing constraints, at the expense of a non-constant 
number of rounds. 

We note that a completely different approach is possible: one could go for a 
weaker property than zero-knowledge, one that would be preserved in a concur- 
rent setting. One such possibility is the Witness-Hiding (WH) protocols of Feige 
and Shamir [15]. Most WH protocols are based on the standard paradigm of 
the prover proving knowledge of one of two ’’computationally independent” wit- 
nesses without revealing which one he knows. Such protocols are also WH when 
used concurrently, and can be used to construct secure identification systems. In 
[8], very efficient methods for building such protocols are developed. However, 
for more general use, e.g., as subrutines in multiparty computation or verifiable 
secret sharing protocols, WH is not always sufficient, one needs simulatability 
to prove the overall protocol secure. 

2 Our Work 

Our main objective is to show that concurrent zero-knowledge can sometimes be 
obtained in a simple way using standard tools. We do not claim any major new 
techniques, in fact our solution is quite straightforward. Nevertheless, we believe 

^ Virtually all known zero-knowledge protocols are black-box simulatable 
® These constraints are much milder than strict synchronization, please refer to [12] 
for details 
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it is useful to realize that in many real life scenarios, resources are available that 
allow achieving concurrent zero-knowledge easily. 

We do not mean to suggest that our solution is always more practical than 
previous methods for achieving concurrent zero-knowledge in constant round, 
such as the timing based one from [12]. In fact the solutions are based on as- 
sumptions of very different nature. Which solution is preferable will often depend 
on the actual scenario in which the you want the solution to work. 

Also, nothing we say here makes the theoretical work on the subject less 
interesting or important - a major problem, namely whether concurrent zero- 
knowledge for NP can be achieved in constant round without extra assumptions, 
remains open. 

Independently, Kilian and Petrank [18] and Canetti, Goldreich, Goldwasser 
and Micali [9] have made observations similar to ours, in the case of [9] as a 
result of introducing a new general concept called Resettable Zero-Knowledge. 



2.1 The Model 

Our work starts from the following assumption: an auxiliary string with a pre- 
scribed distribution is available to the prover and verifier. Given this assumption 
we will see that concurrent zero-knowledge can be achieved in constant round 
with no timing constraints or preprocessing. Informally, zero-knowledge in such 
a setting means as usual that the verifiers entire view can be simulated effi- 
ciently, which here means its view of the interaction with the prover, as well as 
the auxiliary string. Soundness means that no polynomial time prover can cheat 
the verifier with non-negligible probability where the probability is taken over 
the choice of the auxiliary string as well as the coin tosses of the players. 

More formally, an interactive argument for a language L in this model consists 
of a probabilistic polynomial time algorithm G, and polynomial time interactive 
Turing Machines P,V. The algorithm G gets as as input 1^ and outputs an 
auxiliary string a. P, V then get a and a word x of length k as input, and P 
gets a private input w. At the end of the interaction, V halts and outputs accept 
or reject. When we talk about the probability of acceptance or rejection in the 
following, these probabilities are taken over the coin tosses of G, P and V. Note 
that even when we consider cheating provers, we still assume that a is correctly 
generated (by G). 

As usual, a negligible function from natural to real numbers i5() is a function 
such that 6{k) < l/p{k) for all polynomials p(-) and all large enough k) 

Definition 1. We say that (G, P, V) is an interactive argument in the auxiliary 
string model for language L, if 

— For every x € L, there is a w such that if P gets w as private input, V will 
accept on input x. 

— For words x ^ L, and for every probabilistic polynomial time prover, the 
probability that V accepts input x is negligible in |a;|. 
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We have defined here for simplicity only the case where an auxiliary string 
is only used to prove a single statement, and where the input parameter to G 
is set equal to the length of the common input x. None of these restrictions are 
essential, and they can be ignored in a practical application. 

To define zero-knowledge, we consider as usual an arbitrary probabilistic 
polynomial time verifier V* that gets private auxiliary input y of length polyno- 
mial in |a;|. We then have: 

Definition 2. For any verifier V* , there exists a simulator My*, such that for 
words X G L and arbitrary auxiliary inputs y, such that My runs in expected 
polynomial time, and the distribution of My* (x, y) is polynomially indistinguish- 
able from the view ofV* produced from the same input (namely a, the random 
coins ofV*, and the conversation with P). 

Note that the standard non-interactive zero-knowledge model (where the 
auxiliary string is a uniformly chosen random string) [3] is a special case, and 
indeed by their very nature non-interactive zero-knowledge proofs do not require 
rewinding to simulate, and so are robust in a concurrent setting. It is even 
possible to do any polynomial number of non-interactive proofs based on the 
same globally shared random string [14]. 

However, there are still several reasons why non-interactive zero-knowledge 
proofs are not the answer to all our problems: they are in general much less 
efficient than interactive ones and - as far as we know - require stronger cryp- 
tographic assumptions (trapdoor one-way permutations as opposed to arbitrary 
one-way functions). We would like a solution allowing us to use standard efficient 
constructions of protocols securely in a concurrent setting, without significant 
loss of efficiency. 

We also need to consider proofs of knowledge in our model. For this, we 
use a straightforward adaptation of the definition of Bellare and Goldreich, in 
the version modified for computationally convincing proofs of knowledge[4]. The 
scenario, consisting of G, P, V is the same as before. Now, however, the language 
L is replaced by a binary relation R, and the prover’s claim for the given common 
input X is that he knows w such that {x, w) G R. 

Definition 3. We say that (G, P, V) is a proof of knowledge for R in the aux- 
iliary string model, with knowledge error k{), if 

— If P is given w, such that (x,w) G R, then V accepts. 

— There exists an extractor, a machine with oracle access to the prover which 
on input x outputs w with (x, w) G R. This extractor must satisfy the follow- 
ing for any probabilistic polynomial time prover and any long enough x: if 
the provers probability e{x) of making the verifier accept is larger than k{x), 
then the extractor runs in expected time p{\x\)/{e{x) — k(x)). 

The model we use (with a general auxiliary string) was also used in [5] (for 
a different purpose). The rationale for allowing a general distribution of the 
reference string is of course that one may hope that this allows for more efficient 
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protocols, for examplea much shorter auxiliary string. The problem, on the other 
hand, may be that requiring a more powerful resource makes the model less 
realistic. 

However, as we shall see, our protocols do in fact apply to a realistic situation, 
namely a public- key cryptography setting where users have public/private key 
pairs. In fact our prover and verifier do not need to have key pairs themselves, 
nevertheless, they will be able to prove and verify general NP statements in 
concurrent zero-knowledge by using the public key Pa of a third party A as 
auxiliary string. This will work, provided that 

— The verifier believes that H’s secret key is not known to the prover. 

— The prover believes that Pa was generated using the proper key generation 
algorithm for the public-key system in use. 

We stress that A does not need to take part in the protocols at all, nor does he 
need to be aware that his public key is being used this way, in particular keys for 
standard public key systems like RSA, El Gamal or DSS can be used directly. 

Note that if we have a secure public key infrastructure where public keys 
are being certified by a certification authority (CA), then all our demands are 
already automatically satisfied because the CA can serve as player A in the 
above: in order for the infrastructure to be secure in the first place, each user 
needs to have an authentic copy of the CA’s public key available, and one must 
of course trust that the CA generated its public key in the proper way and does 
not reveal its private key to anyone else. 

So although our model does make stronger assumptions on the environment 
than the standard one, we believe that this can be reasonable: The problem of 
concurrent zero-knowledge arises from the need to apply zero-knowledge proto- 
cols in real situations. But then solutions to this problem should be also allowed 
to take advantage of resources that may exist in such scenarios. 

It is important to realize one way in which our model can behave differently 
from the standard one: suppose a verifier shows to a third party a transcript of 
his interaction with the prover as evidence that the protocol really took place. 
Then, in our model, there are scenarios where this will be convincing to the 
third party (contrary to what is case with the standard model). This may in 
some applications be a problem because it can harm the privacy of users. We 
stress, however, that in the case where a public-key infrastructure exists, there 
are ways around this problem. We discuss this issue in more detail in Section 4. 



2.2 The Results 

Our first result is a construction for protocols of a particular form. Assume we 
have a binary relation R, and a 3-move proof of knowledge for R, where the 
verifier sends a random challenge as the second message. Thus this protocol gets 
a string x as common input for prover and verifier, whereas the prover gets as 
private input a witness for x, i.e. w such that (x, w) G R. Conversations in the 
protocol are of form (a, e, z), where the prover chooses a, z. We will assume that 
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the protocol is honest verifier zero-knowledge in the sense that given e, one can 
efficiently compute a correctly distributed conversation where e is the challenge. 
Finally we assume that a cheating prover can answer only one of the possible 
challenges, or more precisely, from the common input x and any pair of accepting 
conversations (a, e, z), (a, e', z') where e yf e', one can compute a witness for x. 
We call this a if-protocol in the following. We have 

Theorem 1. Given any binary relation R and a E-protocol for R. If one-way 
functions exist, then there exists a computationally convincing and concurrent 
zero-knowledge 3-move proof of knowledge (with negligible knowledge error and 
no timing constraints) for R in the auxiliary string model. 

The construction behind this result can be applied in practice to the well known 
proofs of knowledge of Schnorr [21] and Guillou-Quisquater [16] to yield con- 
current zero-knowledge proofs of knowledge in the auxiliary string model with 
negligible loss of efficiency compared to the original protocols (which were not 
even zero-knowledge in the usual sense!). The idea behind this result also imme- 
diately gives: 

Theorem 2. If one-way functions exist, there exist 3-move concurrent zero- 
knowledge interactive arguments in the auxiliary string model (with no timing 
constraints) for any NP problem. 

In both these results, the length of the auxiliary string is essentially the size 
of the computational problem the prover must solve in order to cheat. The length 
does not depend on the size or the number of statements proved. 

Our final result is an observation concerning the preprocessing model of 
Dwork and Sahai [13] (where there is no auxiliary string). It was shown in [13] 
that prover and verifier can do a once-and-for-all preprocessing (where timing 
constraints are applied), and then do any number of interactive arguments for 
any NP problem in concurrent zero-knowledge (with no timing constraints) in 4 
rounds. This was shown under the assumption that one-way trapdoor permuta- 
tions exist. Below, we observe the following: 

Theorem 3. If any one-way functions exists, then any NP problem has a 3- 
round concurrent zero-knowledge argument in the preprocessing model of Dwork 
and Sahai. 

We note that our preprocessing is once-and-for-all, like the one in [13]: once 
the preprocessing is done, the prover and verifier can execute any polynomial 
number of proofs securely, and the complexity of the preprocessing does not 
depend on the number or size of the statements proved. 

3 The Protocols 

3.1 Trapdoor Commitments Schemes 

In a commitment scheme, a committer C can commit himself to a secret s chosen 
from some finite set by sending a commitment to a reciever R. The receiver should 
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be unable to find s from the commitment, yet C chould be able to later open 
the commitment and convince R about the original choice of s. 

A trapdoor commitment scheme is a special case that can be loosely de- 
scribed as follows: first a public key pk is chosen based on a security parameter 
value k, usually by R by running a probabilistic polynomial time generator G. 
Then pk is sent to C . There is a fixed function commit that C can use to 
compute a commitment c to s by choosing some random input r, and setting 
c = commit{s, r,pk). Opening takes place by revealing s, r to R, who can then 
check that commit{r, s,pk) is the value he received originally. 

We then require the following: 

Hiding: For a pk correctly generated by G, uniform r, r' and any s, s', the 
distributions of commit{s, r,pk) and commit{s' , r' ,pk) are polynomially in- 
distinguishable (as defined in [23]). 

Binding: There is a negligible function 5{) such that for any G running in 
expected polynomial time (in k) the probability that G on input pk computes 

s, r, s',r' such that commit{s,r,pk) = commit{s' ,r' ,pk) and s yf s' is at 
most 5{k). 

Trapdoor Property: The algorithm for generating pk also outputs a string 

t, the trapdoor. There is an efficient algorithm which on input t,pk out- 
puts a commitment c, and then on input any s produces r such that c = 
commit{s, r,pk). The distribution of c is poynomially indistinguishable from 
that of commitments computed in the usual way. 

In other words, the commitment scheme is binding if you know only pk, but 
given the trapdoor, you can cheat arbitrarily. 

From the results in Shamir et al.[20], it follows that existence of any one-way 
function / implies the existence of a trapdoor commitment scheme, where the 
public key is simply /(y), where y is chosen uniformly in the input domain of 
/, and y is the trapdoor. Based on standard intractability assumptions such as 
hardness of discrete log or RSA root extraction, very efficient trapdoor commit- 
ment schemes can be built, see e.g. [6]. 

3.2 A Construction for J7-Protocols 

In what follows, we will assume that we have a relation R and a A-protocol V 
for R. The prover and verifier get as common input x, while the prover gets as 
private input w, such that (x, w) G R. 

We will be in the auxiliary string model, where the auxiliary string will be 
the public key pk of a trapdoor commitment scheme, generated from security 
parameter value k = |a;|. For simplicity, we assume that the commitment scheme 
allows to commit in one commitment to any string a, that may occur as the first 
message in V (in case of a bit commitment scheme, we could just commit bit by 
bit). Finally, note that since the properties of a A-protocol are preserved under 
parallel composition, we may assume without loss of generality that the length 
of a challenge e in the protocol is at least k. 

The protocol then proceeds as follows: 
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1. On input x, w, the prover computes a using the prover’s algorithm from V, 
chooses r at random and sends c = commit{a, r,pk) to the verifier. 

2. The verifier chooses e at random and sends it to the prover. 

3. The prover computes z, the answer to challenge e in 7^ and sends z, a, r to 
the verifier. 

4. The verifier accepts iff it would have accepted on x, a, e, z in V, and if c = 
commit{a, r, pk). 

It is straightforward to show that this protocol has the desired properties. 
First, a simulator for the protocol given an arbitrary verifier V*: 

1. Generate pk with known trapdoor t and give x,pk to V*. 

2. Send a commitment c computed according to the trapdoor property to V* 
and get e back. 

3. Run the honest verifier simulator on input e to get an accepting conversation 
(a, e, z) in the original protocol. Use the trapdoor to compute r such that 
c = commit{a, r, pk) . Send z,a,r to V* . 

This simulation works based on the hiding and trapdoor properties of the com- 
mitment scheme, and does not require rewinding of V* , hence the protocol is 
also concurrent zero-knowledge. 

To show it is a proof of knowledge with knowledge error k(), we will show 
that the protocol satisfies the definition when we choose k{x) = l/q{\x\) for any 
polynomial (/(), thus the ’’true” knowledge error is smaller than any polynomial 
and so is negligible. This analysis is rather loose because we are dealing with a 
general type of intractability assumption. A much better analysis can be obtained 
from making a concrete assumption on a particular commitment scheme. 

Our algorithm for extracting a witness will based on the following 

Claim. From any prover convincing the verifier with probability e{x) > llq{k), 
we can extract, using rewinding, convincing answers to two different challenges 
(on the same intial message) e, e', in time proportional to l/e{x) for all large 
enough k (Recall that we have set k = |a;|). 

Intuitively, this is just because l/q{k) > 2“^ for all large enough fc, and a 
success probability larger than 2~^ must mean that you can answer more than 
one challenge, since the number of challenges is at least 2^. However, the proof 
is a bit less obvious than it may seem: the prover may be probabilistic, but 
we still have to fix his random tape once we start rewinding. And there is no 
gurantee that the prover has success probability e{x) for all choices of random 
tapes, indeed e{x) is the average over all such choices. However, a strategy for 
probing the prover can be devised that circumvents this problem: 

Using a line of reasoning devised by Shamir, let H a matrix with one row 
for each possible set of random choices by the prover, and 2^ columns index by 
the possible challenges (assume for simplicity that there are precisely 2^). In the 
matrix we write I if the verifier accepts with this random choice and challenge, 
and 0 otherwise. Say a row is heavy if it contains more that e{x)/2 I’s. Since 
the total fraction of I’s in H is e(x), at least 1/2 of the I’s are located in heavy 
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rows. By using the prover as a black-box, we can probe random entries in H , or 
random entries in a given row, and the goal is of course to find two I’s in the 
same row. Consider the following algorithm: 

1. Probe random entries in H until a 1 is found. 

2. Start running the following two processes in parallel. Stop when at least one 

of them stops. 

A. Probe random entries in the row where we already found a 1, stop when 
a new 1 is found. 

B. Repeatedly flip a random coin that comes out heads with probability 
e{x)/c (where c is an appropriately chosen constant, see below), and 
stop as soon as heads comes out. This can be done, e.g., by probing 
a random entry in H, choosing a random number among l,...,c, and 
outputting heads iff both the entry and the number was 1. 

3. If process A finished first, output the position of the two 1-entries found. 

This algorithm obviously runs in expected time a polynomial in k times 
0{l/e{x)). 

We then look at the success probability: assume the row we find is heavy. 
Then the expected number of trials to find a new 1 is T(e(x)) = 2^/(e(x)2^~^ — l) 
which is 0(l/e(x)) if e(x) > 2“^+^; and this last condition certainly holds for all 
large enough k. The probability that A uses less than 2T{e{x)) trials is at least 
1/2. By choosing c large enough, we can ensure that the probability that B uses 
more trials than 2T{e(x)) is constant. Since the probability that we find a heavy 
row to begin with is constant (1/2), the total success probability is also constant. 
Hence repeating this entire procedure until we have success takes expected time 
a polynomial in k times 0{l/e{x)), as required. This finishes the proof of the 
above claim. 

Once we are successful, we get commitment c, conversations (a, e, z), (a', e', z') 
that are accepting in the original protocol, and finally values r, r' such that 
c = commit{a,r,pk) = commit{a' , r' , pk) . If a = o', a witness for the common 
input X can be computed by assumption on the original protocol. Our extractor 
simply repeats the whole extraction process until a = a' . 

Since one repeat of the extraction process takes expected polynomial time, 
it follows from the binding condition of the commitment scheme that the case 
a a' occurs with negligible probability, at most S{k). Hence the entire extractor 
takes expected time 1/(1 — 6{k)) times the time need for one attempt. This is 
certainly at most p{\x\)/{e{x) — 9 (|a;|)) for some polynomial p(). 

This and the result from [20] above on existence of trapdoor commitments 
now implies Theorem 1. As for Theorem 2, we just need to observe that the 
standard zero-knowledge interactive protocols for NP complete problems [24,1] 
can in fact be based on any commitment scheme. They are usually described as 
sequential iterations of a basic 3-move protocol. However, in our model we will 
use a trapdoor commitment scheme, and do the iterations in parallel: it is then 
trivial that the protocols can be straight line simulated if the simulator knows the 
trapdoor. And soundness for a poly-time bounded prover follows by a standard 
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rewinding argument. A more careful analysis of the error probability and the 
way it depends on the intractability assumption we make can be obtained using 
the definitions from [11]. 

This same idea applies easily to the preprocessing model (with no auxiliary 
string) of Dwork and Sahai [13]: here, the prover and verifier are allowed to do a 
preprocessing, where timing constraints are used in order to ensure concurrent 
zero-knowledge. After this, the goal is to be able to do any number of interactive 
arguments in concurrent zero-knowledge, without timing constraints. In [13], it 
is shown how to achieve this based on existence of one-way trapdoor permuta- 
tions. However, an idea similar to the above will allow us to do it based on any 
one-way function (and a smaller number of rounds): In the preprocessing, the 
verifier chooses an instance of the trapdoor commitment scheme from [20] and 
sends the public key to the prover. The verifier then proves knowledge of the 
trapdoor. After this, any number of interactive arguments for NP problems can 
be carried out in constant round and concurrent zero-knowledge. We will use the 
parallel version of [24] or [1] based on the commitment scheme we established in 
the preprocessing. Simulation can be done by extracting the trapdoor from the 
verifier’s proof of knowledge (here, rewinding is allowed because of the timing 
constraints) and then simulate the main proofs straight-line. 



4 Implementation in Practice 

In our arguments for practicality of our model, we claimed that the public key 
of a third party can be used as auxiliary string. Given the construction above, 
this amounts to claiming that the public key of any public-key crypto-system or 
signature scheme can also be used without modification as the public key of a 
trapdoor commitment scheme. 

We can assume that the public key was generated using some known key 
generation algorithm (recall that we originally assumed about the third party 
that he generates his keys properly and does not give away the private key). 
Clearly, the function mapping the random bits consumed by this algorithm to 
the resulting public key must be one-way. Otherwise, the system could be broken 
by reconstructing the random input and running the algorithm to obtain the 
private key. Thus, from a theoretical point of view, we can always think of the 
public key as the image of a random input under a one-way function and apply 
the commitment scheme from [20]. 

This will not be a practical solution. But fortunately, standard public key 
systems used in real life allow much more efficient implementations. Any system 
based on discrete logarithms in a prime order group, such as DSS, many El 
Carnal variants, and Cramer-Shoup has as part of the public key some group 
element of form where x is private and g is public, and where g has prime 
order q . This is precisely the public key needed for the trapdoor commitment 
scheme of Pedersen [25] , which allows commitment to a string of length log q in 
one commitment. 
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If we have an RSA public key with modulus n, we can always construct from 
this a public key for the RSA based trapdoor commitment scheme described in 
[6] . We define q to be the least prime such that q > n (this can easily be computed 
by both prover and verifier). We then fix some number 6 in Z*, this could be 
for instance be a string representing the name of the verifier. The intractability 
assumption for the commitment scheme then is that the prover will not be able 
to extract a g’th root mod n of 6 (such a root always exists by choice of q) . Also 
this scheme allows comitment to logq bits in one commitment. 

Note that when executing a proof of the kind we constructed, it is always 
enough in practice for the prover to make only one commitment: he can always 
hash the string the wants to commit to using a standard collision intractable hash 
function and commit to the hash value. This means that well known efficient 
protocols can be executed in this model with no significant loss of efficiency. 

Finally, we discuss the issue of whether a verifier can prove to a third party 
that he interacted with the prover. We give an example where this is possible in 
our model: 

Suppose a public key pk is used as auxiliary string as we have described, to 
do proofs of knowledge for a hard relation. And suppose the verifier V interacts 
with a prover and then shows a transcript of the interaction to a third party C 
as evidence that the protocol actually took place. 

Note that V, if he wanted to create the transcript completely on his own, 
would have to simulate the protocol given the fixed key pk. Now, if V computes 
his challenge string for instance by applying a one-way function to the first 
message sent by the prover in the protocol, this simulation appears to be a hard 
problem, unless one knows either the private key corresponding to pk or the 
prover’s secret. Of course, this is different from simulating the verifier’s entire 
view, which includes the random choice of pk - this can indeed be done efficiently 
since the protocol is zero-knowledge in our model. 

So in this scenario, C would have to conclude that V could only have obtained 
the transcript by either interacting with the prover or cooperating with the party 
who generated pk in the first place. And if for instance this party is a CA that 
C trusts then he can exclude the latter possibility. 

The implications of this property depend entirely on the scenario we are in. 
In some cases it can be an advantage to be able to prove that a protocol really 
took place, in other cases such tracing would harm the privacy of users. 

However, in a case where a public-key infrastructure is available, in partic- 
ular when V has a public key pkv known to P, one can change the protocol 
slightly making it harder for V to convince C. The idea is to redefine the way 
in which P commits to bits, such that a commitment to bit b will have the 
form commit{pk,bi),commit{pkv,b2), where P chooses 61,62 randomly such 
that 6 = 61 0 62. This preserves binding and hence soundness because P does 
not know an honest R’s private key. Also hiding and hence zero-knowledge is 
preserved because we can still assume that pk is correctly generated and so no 
information on 61 is leaked. However, assuming that V actually knows his own 
private key, he can clearly use it as trapdoor for the commitment in order to 
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simulate the protocol without interacting with P, and so seeing a transcript will 

not convince C in this case. This idea is closely related to the concept of verifier 

designated proofs (see e.g. [7,17]). 
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Abstract. Alice wants to prove that she is young enough to borrow 
money from her bank, without revealing her age. She therefore needs a 
tool for proving that a committed number lies in a specific interval. Up to 
now, such tools were either inefficient (too many bits to compute and to 
transmit) or inexact (i.e. proved membership to a much larger interval). 
This paper presents a new proof, which is both efficient and exact. Here, 
“efficient” means that there are less than 20 exponentiations to perform 
and less than 2 Kbytes to transmit. The potential areas of application 
of this proof are numerous (electronic cash, group signatures, publicly 
verifiable secret encryption, etc ... ). 



1 Introduction 

The idea of checking whether a committed integer lies in a specific interval 
was first developed in [2]. Such kind of proofs are intensively used in several 
schemes: electronic cash systems [7], group signatures [11], publicly verifiable 
secret sharing schemes [17,4], and other zero-knowledge protocols (e.g. [13,10]). 
Nowadays, there exist two methods to prove that a committed integer is in a 
specific interval: 

— the first one (see e.g. [17]) allows to prove that the bit-length of the commit- 
ted number is less or equal to a fixed value k, and hence belongs to [0, 2^ — 1]. 
Unfortunately, this method is very inefficient. 

— the second one (see e.g. [2,8]) is much more efficient, but the price to pay is 
that only membership to a much larger interval can be proven. 

In this paper, we give a new method to prove that a committed number 
belongs to an interval that is much more efficient than the first method and that 
effectively proves, unlike the second method, that a committed number x G I 
belongs to / (and not a larger interval). 

Throughout this paper, Z„ denotes the residue class ring modulo n, and Z* 
denotes the multiplicative group of invertible elements in Z„. | • | denotes binary 
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length, a || 5 is the concatenation of the strings a and b. We denote by t|/ the 
cardinal of the set I. For g G Z* and a in the group generated by g, we denote 
by logg(a) the discrete logarithm of a in base g modulo n, i.e. the number x 
such that a = g^ mod n which belongs to {— ord(g)/2 , . . . ,ord(g)/2 — 1}, where 
ord(g) is the order of g in Z*. We denote by PK{x : P-ix)) a zero-knowledge 
proof of knowledge of x such that TZ{x) is true. 

1.1 Definitions 

Definition 1 Let E = BC{x) he a commitment to a value x G [ 61 , 62 ]. A proof 
of membership to an interval [61,62] is a proof of knowledge that ensures the 
verifier that the prover knows x such that E = BC{x) and that x belongs to 
[Bi,B 2 ], an interval which contains [61,62]. 



Definition 2 Following the notations of definition 1, the expansion rate of a 
proof of membership to an interval is the quantity S = {B 2 — Bi) / {b 2 — 61) . This 
quantity may or not be dependent on (62 — 61). 

We evaluate the quality of a proof of membership to an interval by the length 
of the proof (which must be as short as possible) and by its expansion rate (which 
must be as low as possible). 

1.2 Known Results 

In this subsection, we present three existing proofs of membership to an interval. 
They are based on zero- knowledge proofs of knowledge of a discrete logarithm 
either modulo a prime (Schnorr [19]) or a composite number (Girault [16]). 



1.2.1 Classical Proof [17] 

This protocol proves that a committed number a; G / = [0, 6] belongs to / = 
[0, 2^ — 1], where the binary length of 6 is k. 

Let p be a large prime number, let q such that q\p — 1, and g and h be 
elements of order q in Z* such that the discrete logarithm of h in base g is 
unknown by Alice. We denote by E{x,r) = g^h^ modp a commitment to x, 

where r is randomly selected over Z*. Let x = xq 2^ + x\2^ H h a;fc_i2^“^ for 

Xi G {0, 1} and z = 0, 1, . . . , fc — 1 be the binary representation of x. Alice sets 
E{xi, Vi) for z = 0, 1 , . . . , fc— 1, where the are such that X]i=o fc-i ~ 
proves for all z that the number hidden by E(xi, r^) is either 0 or 1 by proving 
that she knows either a discrete logarithm of E(xi, rf) in base 6 or a discrete 
logarithm of E(xi, rf)! g in base h. This can be done using proofs of knowledge 
of a discrete logarithm [19] and a proof of knowledge of one out of two secrets 
[5]. Bob also checks that rii=o fc-i = ^{x, r). 

Characteristics of this proof: For |p| = 1024 bits, [g] = 1023 bits, |6| = 512 bits, 
and the Schnorr’s proof security parameter t = 90. 
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— completeness: The proof always succeeds. 

— soundness: A cheating prover can succeed with probability less than 1 — (1 — 

2 — 89^512 ^ 

— zero-knowledge: Perfectly zero-knowledge in the random-oracle model defined 
in [3]. 

— what is proven: x G [0, 2^ — 1]. 

— expansion rate: 1 < S < 2 (can be decreased to 1 by proving that both x and 
b — X are fc-bit numbers) . 

— length of the proof: 1,612,800 bits = 196.9 kB. 

1.2.2 BCDG Proof [2] 

This protocol proves that a committed number x G I belongs to J, where the 
expansion rate DT/jJ/ is equal to 3. We give here a slightly different presentation 
from the one of the original paper. 

Let t be a security parameter. Let p be a large prime number, let q such that 
q\p—l, and g and h be elements of order q in Z* such that the discrete logarithm 
of h in base g is unknown by Alice. We denote hy E = E{x,r) = g^ h^ mod p a 
commitment to a; C [0, 5], where r is randomly selected over Z*. 

For simplicity, we present an interactive version of the protocol which can be 
easily turned into a non-interactive one using the Fiat-Shamir heuristic [15]. 

Protocol: PK[bcdg]{x, r : E = E{x, r) A x G [—6, 25]). 

Run t times in parallel: 

1. Alice picks random oji Gr [0,5] and sets 0 J 2 = oji — 5. She also randomly 
selects rji Gr [0, g — 1] and 772 Gr [0,9— 1], and sends to Bob the unordered 
pair of commitments Wi = g'^^ h^^ mod p and W 2 = g'^'^ h^'^ mod p. 

2. Bob challenges Alice by c Gfl {Oj !}• 

3. If c = 0, Alice sends to Bob the values of oJi, UJ 2 , pi and 772. 

If c = 1, Alice sends to Bob the value of x-GoJj, r-\-rjj for the value j G {1,2} 
such that x-\-ujj G [0, 5]. 

4. Bob checks that Wi = g'^^h^'^ modp and W 2 = g'^^h^'^ modp in the former 
case and Wj = g'^^h^^ mod p, x ojj G [0, 5] in the latter case. 



Characteristics of this proof: For |p| = 1024 bits, [g] = 1023 bits, |5| = 512 bits, 
t = 80 and I = 40. 



— completeness: The proof always succeeds if a; G [0,5] 

— soundness: A cheating prover can succeed with probability less than 2 x 2“* = 

2 - 79 . 

— zero-knowledge: Perfectly zero-knowledge in the random-oracle model. 

— what is proven: x G [—5, 25]. 

— expansion rate: 5 = 3. 

— length of the proof (on average): 225,320 bits = 27.5 kB. 
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1.2.3 CFT Proof [8] 

The main idea of this proof is roughly the same as the one of [2] . Let t, I and s 
be three security parameters. This protocol (due to Chan, Frankel and Tsiounis 
[7], and corrected in [8], and also due to [14] in another form) proves that a 
committed number x € I belongs to J, where the expansion rate tlT/j)/ is equal 
to . Let n be a large composite number whose factorization is unknown by 

Alice and Bob, g be an element of large order in Z* and h be an element of the 
group generated by g such that both the discrete logarithm of g in base h and 
the discrete logarithm of h in base g are unknown by Alice. Let iL be a hash- 
function which outputs 2t-bit strings. We denote hy E = E{x,r) = g ^ mod n 
a commitment to a; € [0, b], where r is randomly selected over [— 2^n-|- 1, 2^n— 1]. 
This commitment, from [13], statistically reveals no information about x to Bob. 

Protocol: PK[cft]{x, r : E = E{x, r) A x e [— 2*+^6, 2*+^6]). 

1. Alice picks random oj Gr [0, 2*+^6 — 1] and g Gr [— 2*+^+^n -I- 1, 2*+^+^n — 1], 
and then computes W = g'^h^ mod n. 

2. Then, she computes C = El{W) and c = C mod 2*. 

3. Finally, she computes D\ = u+xc and = g+rc (in Z). If Di G [cb, 2*+^6— 
1], she sends (C, Di.D^) to Bob, otherwise she starts again the protocol. 

4. Bob checks that D\ G [cb, 2*~^‘b — 1] and that C = H(g^^ h^^E~‘^). This 
convinces Bob that x G [— 2*+^6, 2*+^6]. 



Characteristics of this proof: For |n| = 1024 bits, |6| = 512 bits, t = 80, ^ = 40 
and s = 40. 

— completeness: The proof succeeds with probability greater than 1 — 2^ = 
1-2-40 ifa;G [0,6]. 

— soundness: A cheating prover can succeed with probability less than 2“^®. 

— zero-knowledge: Statistically zero-knowledge in the random-oracle model. 

— what is proven: x G [— 2*+^6, 2*+^6] = [—2^'^'^b,2^'^%]. 

— expansion rate: 6 = 2*+^+^ = 2^^^. 

— length of the proof: 1,976 bits = 0.241 kB. 



1.3 Our Results 

The schemes we propose in this paper are much more efficient than the classical 
proof and the BCDG proof, and their expansion rates are 6 = 1 -I- £ for the first 
one, and 6=1 for the other one, where £ is a negligible quantity with respect to 
1 if the considered interval is large enough {e = 2“^04 jf committed number 
lies in [0, 2®^^ — 1]). 

We briefly describe our algorithms: first note that it is sufficient to know how 
to prove that a number is positive to prove that a number belongs to an interval. 
Indeed, to prove that x belongs to [a, 6], it is sufficient to prove that x — a > 0 
and b — X > 0. 
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Consider the following commitment scheme: to hide an integer x, Alice com- 
putes E(x, r) = mod n, where n is a composite number whose factorization 
is unknown by both Alice and Bob, g is an element of large order in Z* , h is an 
element of large order of the group generated by g such that both the discrete 
logarithm of g in base h and the discrete logarithm of h in base g are unknown 
by Alice, r is randomly selected over [—2^n + l,2^n — 1] and s is a security 
parameter. This commitment has been introduced in [13], and statistically re- 
veals no information of x to Bob (see section 2.1). Note that this commitment 
is homomorphic, i.e. E{x + y,r + s) = E{x, r) x E{y, s) mod n. 

Assume that Alice commits herself to a positive integer x by E = E(x,r) 
and wants to prove that x G [a, 6]. 

In our first scheme, Alice writes the positive integer x — a as the sum of xf, 
the greatest square less than x and of p, a positive number less than 2^/x — a 
(and therefore less than 2y/b — a). Then, she randomly selects ri, r 2 in [0, 2®n— 1] 
such that ri-|-r 2 = r and computes Ei = E(xf, ri) and E 2 = E{p, r 2 ). Then, she 
proves to Bob that E\ hides a square in Z and that E 2 hides a number whose 
absolute value is less than ~ a by a CFT proof. Finally, she applies 

the same method to 6 — a;. This leads to a proof that x G [a — 2*+^+i^/5 — a, 64- 
2*+^+i expansion rate of this proof is equal to 1 -I- (2*+^+^/V^ — a), 

which becomes close to 1 when 6 — a is large. 

In our second scheme, we artificially enlarge the size of x by setting x' = 2^x. 
By using the first scheme, we prove that x' G [2^a — — a, 2^6 4- 

2t+i+T/2+i^b _ a\, and if T is large enough (i.e. T is such that 2*+^+^/^+^-\/6 — a 
< 2^), Bob is convinced that x' G [2^a — 2'^ + 1, 2^6 -I- 2^ — 1], so that x G 
[a — e,b + e] where 0 < £ < 1. So, as x is an integer. Bob is convinced that 
X G [a, b]. 



1.4 Organization of the Paper 

In Section 2, we describe some building blocks used in our protocols: a proof that 
two commitments hide the same secret, and a proof that a committed number is 
a square. In Section 3, we describe our two schemes: a proof of membership to an 
interval with tolerance and a proof of membership without tolerance. Then, we 
extend our results to various commitments. In Section 4, we give an application 
of our schemes. Finally, we conclude in Section 5. 



2 Building Blocks 

The schemes we present in this section are based on the following assumption, 
introduced e.g. in [13]: 

Strong RSA Assumption: There exist an efficient algorithm that on input 
|n| outputs an RSA-modulus n and an element 2 G Z* such that it is infeasible 
to find integers e ^ {— 1, 1} and u such that z = mod n. 
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2.1 The Fujisaki-Okamoto Commitment Scheme 

In this subsection, we briefly describe the commitment scheme we use throughout 
this paper. 

Let s be a security parameter. Let n be a large composite number whose 
factorization is unknown by Alice and Bob, g be an element of large order in Z* 
and h be an element of large order of the group generated by g such that both 
the discrete logarithm of g in base h and the discrete logarithm of h in base g 
are unknown by Alice. 

We denote by if = E{x, r) = g^h^ mod n a commitment to x in base {g, h), 
where r is randomly selected over {— 2 ^n + 1, ..., 2®n — 1}. 

This commitment has first appeared in [13]. 

Proposition 1 E{x,r) is a statistically secure commitment scheme, i.e.: 

— Alice is unable to commit herself to two values xi and X2 such that xi yf X2 
(in Z) by the same commitment unless she can factor n or solve the discrete 
logarithm of g in base h or the discrete logarithm of h in base g. In other 
words, under the factoring assumption, it is computationally infeasible to 
compute Xi, X2, ri, V2 where xi yf X2 such that E{xi,ri) = E{x2,r2). 

~ E{x, r) statistically reveals no information to Bob. More formally, there ex- 
ists a simulator which outputs simulated commitments to x which are statis- 
tically indistinguishable from true ones. 

As Alice only knows one couple of numbers (x, r) such that E = g^M mod n, 
we say that x is the value committed by (or hidden by) E, and that E hides the 
secret x. 

2.2 Proof that Two Commitments Hide the Same Secret 

Let t, I, Si and S2 be four security parameters. Let n be a large composite 
number whose factorization is unknown by Alice and Bob, gi be an element 
of large order in Z* and g2, hi, ft-2 be elements of the group generated by gi 
such that the discrete logarithm of gi in base hi, the discrete logarithm of hi 
in base gi , the discrete logarithm of g2 in base ft-2 and the discrete logarithm of 
ft-2 in base g2 are unknown by Alice. Let H he & hash-function which outputs 
2t-bit strings. We denote by Ei{x, ri) = gfhff mod n a commitment to x in base 
(51, hi) where ri is randomly selected over [2®in -|- 1, 2^in — 1], and E2{x, r2) = 
g^Ef^ mod n a commitment to x in base (52, ^2) where V2 is randomly selected 
over [— 2^^n -|- 1, 2®^n — 1]. 

Alice secretly holds x € [0,6]. Let E = Ei{x,ri) and E = E2{x,r2) be two 
commitments to x. She wants to prove to Bob that she knows x, ri, V2 such that 
E = Ei{x, ri) and E = E2{x, r2), i.e. that E and E hide the same secret x. 

This protocol is derived from proofs of equality of two discrete logarithms 
from [6,12,1], combined with a proof of knowledge of a discrete logarithm modulo 
n [16]. 
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Protocol: PK{x, ri, V2 ■ E = Ei{x, ri) A E = E2{x, r2)). 

1. Alice picks random w G [1, 1], 771 G [1, 1], 772 G 

1] . Then, she computes ITi = 5 “ mod n and IT2 = 92 inod n. 

2. Alice computes c= H{W\ || IT2)- 

3. She computes D = u> + cx, Di = 771 + cri, D2 = 92 + cv2 (in Z) and sends 
(c, D, _Di, D2) to Bob. 

4. Bob checks whether c = H{gihi^E~‘^ mod n || E~^^ mod n). 

It is shown in [9] that a successful execution of this protocol convinces Bob 
that the numbers hidden in E and E are equal provided the Strong RSA problem 
is infeasible. 

Characteristics of this proof: For \n\ = 1024 bits, |6| = 512 bits, t = 80, I = 40, 
Si = 40 and S2 = 552. 

— completeness: The proof always succeeds. 

— soundness: Under the strong RSA assumption, a cheating prover can succeed 
with probability less than 2 x 2“* = 2“^®. 

— zero-knowledge: Statistically zero-knowledge in the random-oracle model if 
1 /I is negligible. 

— length of the proof: 2, 648 -I- 2\x\ bits = 3672 bits = 0.448 kB. 

2.3 Proof that a Committed Number is a Square 

Let t, I, and s be three security parameters. Let n be a large composite number 
whose factorization is unknown by Alice and Bob, g be an element of large order 
in Z* and h be an element of the group generated by g such that both the 
discrete logarithm of g in base h and the discrete logarithm of h in base g are 
unknown by Alice. Let H he a hash-function which outputs 2t-bit strings. We 
denote by E(x, r) = g^h^ mod n a commitment to x in base (g, h) where r is 
randomly selected over [—2^77, -|- 1, 2“n — 1]. 

Alice secretly holds x G [0,6]. Let E = E{x‘^,n) be a commitment to the 
square of x (in Z) . She wants to prove to Bob that she knows x and ri such that 
E = E{x‘^, ri), i.e. that E hides the square a;®. 

The first proof that a committed number is a square has appeared in [13]. 

Protocol: PK{x, r\ : E = E{x"^, ri)). 

1. Alice picks random r2 G [— 2^n -|- 1, 2“n — 1] and computes E = E{x, r2). 

2. Then, Alice computes r^ = ri~r 2X (in Z). Note that r^ G [— 2^6n-|-l, 2‘^bn — 
1]. Then, E = E^h"^^ mod n. 

3. As if is a commitment to x in base (A, h) and A is a commitment to x in base 
{g, h), Alice can run PK(x, r2, r^ : E = g^h^'^ mod n A E = E^h"^^ mod n), 
the proof that two commitments hide the same secret described in section 
2.2. She gets {c, D, Di, 02). 

4. She sends (F, c, D, Di, D2) to Bob. 
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5. Bob checks that PK{x,r 2 ,r 3 : F = mod n A E = mod n) is 

valid. 

The soundness of this protocol is clear: if Alice is able to compute F and a 
proof that E and F are commitments to the same number x resp. in base (A, h) 
and (g, h), then Alice knows x, X 2 and fa such that E = F^h'~^ = _ 

mod n. Then, this proof shows that Alice knows a square which is 
hidden in the commitment E. In other words, a successful execution of this 
protocol convinces Bob that the value hidden in the commitment if is a square 
in Z. 

Technical proofs of the soundness and the zero-knowledgeness of this protocol 
are easily obtained from the properties of the previous protocol. 

Characteristics of this proof: For \n\ = 1024 bits, |6| = 512 bits, t = 80, ^ = 40 
and s = 40. 

— completeness: The proof always succeeds. 

— soundness: Under the strong RSA assumption, a cheating prover can succeed 
with probability less than 2 x 2“* = 2“^®. 

— zero-knowledge: Statistically zero-knowledge in the random-oracle model if 
1 /I is negligible. 

— length of the proof 3, 672 -|- 2\x\ bits = 4696 bits = 0.573 kB. 

3 Our Schemes 

3.1 Proof that a committed number belongs to an interval 

Let t, I and s be three security parameters. Let n be a large composite number 
whose factorization is unknown by Alice and Bob, g be an element of large order 
in Z* and h be an element of the group generated by g such that both the 
discrete logarithm of g in base h and the discrete logarithm of h in base g are 
unknown by Alice. We denote by E{x, r) = g^h'" mod n a commitment to x in 
base {g, h) where r is randomly selected over [— 2^n -|- 1, 2^n — 1]. 

3.1.1 Proof with Tolerance: ^ = 1 + e. 

The above protocol allows Alice to prove to Bob that the committed number 
X G [a, b] belongs to [a — 9,b 9], where 9 = 2*+'+^V^ — a. 

Protocol: PK^withToi.] {x,r : E = E{x, r) A a; G [a — 9,b -\- 9]). 

1. [Knowledge of a:] 

Alice executes with Bob: 

PK{x, r : E = E{x, r)) 

2. [Setting] 

Both Alice and Bob compute E = E/g‘^ mod n and E = g^ /E mod n. Alice 
sets X = X — a and x = b — x. Now, Alice must prove to Bob that both E 
and E hide secrets which are greater than —9. 




Efficient Proofs that a Committed Number Lies in an Interval 



439 



3. [Decomposition of x and a;] 

Alice computes: 

Xi = [y /x — g j , X2 = X — xl, 

Xi = [\/b — x\ , X 2 = X — xf. 

Then, x = xf + £2 and x = xf + £ 2 , where 0 < i 2 < 2^/F^^ and 0 < 0:2 < 
2y/b — a. 

4. [Choice of random values for new commitments] 

Alice randomly selects fi and £2 in [— 2^n+l, 2®n— 1] such that fi+r 2 = r, 
and ri and £2 such that ri + f 2 = — r. 

5. [Computation of new commitments] 

Alice computes: 

El = E{£l,ri), E 2 = E{£2, h), 

El = E{xl,ri), E2 = E{x 2 , £2). 

6. [Sending of the new commitments] 

Alice sends Ei and Ei to Bob. Bob computes E 2 = E/Ei and £’2 = E/Ei 

7. [Validity of the commitments to a square] 

Alice executes with Bob 

PK{£i,£i : El = E{£l,£i)), 

PK{xi,£i : El = E{xl,£i))^ 
which prove that both Ei and Ei hide a square. 

8. [Validity of the commitments to a small value] 

Let 9 = 2*+^+^V^ — CL. Alice executes with Bob the two following CFT proofs: 
PK[CFT](S:2,r2 ■■ £2 = E{£2,T2) A i2 G [-d,d]), 

PK[cft]{x2,£2 ■ E 2 = E{x2,£2) a £2 e [-9,9]). 
which prove that both £2 and £2 hide numbers which belong to [—9,9], 
where 9 = 2*+^+^V^ — a, instead of proving that they belong to [0, 2^/b — a]. 



Sketch of Analysis: 

After a successful execution of this protocol, Bob is convinced that : 

— El and £1 hide numbers which are positive integers, as they are squares 
(Step 7). 

— £2 and £2 hide numbers which are greater than —9 (Step 8). 

— Alice knows the values hidden by £ and £ (Step 1 and 2). 

— The number hidden in £ is the sum of the number hidden in £1 and of the 
number hidden in £ 2 , and so are £, £1 and £2 (Step 6). 

So, Bob is convinced that £ and £ hide numbers which are greater than —9, 
as they are the sum of a positive number and a number greater than —9. 

Let X be the number known by Alice (from step 1) and hidden by £. Bob is 
convinced that a; — a is the value hidden by £ and 6 — a; is the value hidden by 
£. So, Bob is convinced that x — a> —9 and b — x > —9, i.e. that x belongs to 
[a — 9,b + 9], where 9 = 2*+^+^ i/b — a. 

Expansion Rate: Following Definition 2, the expansion rate is equal to : 



(5 = 



{b+9)-{a-9) 



1 + 



29 

b — a 



b — a 



= 1 + £ 
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where: 



£ = 



29 
b — c 



ot+Z+2 . I 

eyt-\-l-\-2— - 

Vb^~ 






e is negligible if and only if |6 — a| > 2t + 2^ + 2^ + 4, where 2 is a security 
parameter. If it is the case, the expansion rate is equal to <5 = 1 + 2“^. 



Characteristics of this proof: for \n\ = 1024 bits, \b — a\ = 512 bits t = 80, ^ = 40 
and s = 40. 



— length of the proof: 13860 bits = 1.692 kB. 

— expansion rate: (5 = 1 + e, where £ < J = 2“^^^. 



3.1.2 Proof without Tolerance: ^ = 1. 

The above protocol allows Alice to prove to Bob that the committed number 
a; G [a, 6] belongs to the desired interval [a, 6]. 

To achieve a proof of membership without tolerance, we artificially enlarge 
the size of x by setting x' = 2'^x, where T = 2{t + 1 + 1) + \b — a\. Let E' = . 

E' is a Fujisaki-Okamoto commitment to x' = 2'^ x that Alice can open. 

By using the first scheme, Alice proves to Bob that she knows the value x' 
hidden by E' is such that x' G [2^a-2*+'+^/^+ - a, 2^6+2*+'+^/^+ - a] 
by a CFT proof (instead of proving that x' G [2^a, 2^6]). 

As r = 2(t + ^ + 1) + |6 — a|, we have: 

Q' = _ Q ^ 2*+^+^/2+i X 

< 2^/^ X 2*+'+^ X 

< 2^/2 X 2^/2 

<2^ 

Then, if Bob is convinced that x' G [2^a — 6*', 2^6 + 9'], he is also convinced 
that x' g]2^o — 2^, 2^6 + 2^[. 

Provided Alice does not know the factorization of n, she is unable to know 
two different values in Z hidden by E' . So, necessarily, a;' = 2^x. The proof 
convinces Bob that 2^x g]2^o — 2^, 2^6 + 2^[, and so that x G]a — 1,6 + 1[. 
Finally, as x is an integer, Bob is convinced that a; G [a, 6]. 

Protocol: PK{x, r : E = E{x, r) A x € [a, 6]). 

1. [Setting] 

Both Alice and Bob compute E' = if2^, where T = 2{t + I + 1) + |6 — a|. 

2. [Proof] 

Alice executes with Bob: 

PK[withToi.]{x',r' : E' = E{x',r')Ax' G [2^a-2*+'+^/2+V6 - a, 2^6 + 
2*+'+^/2+V6_ a]. 

Characteristics of this proof: for |n| = 1024 bits, [6 — a| = 512 bits, t = 80, ^ = 40 
and s = 40. 

— length of the proof: 16176 bits = 1.975 kB. 

” expansion rate: <5 = 1. 
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3.2 Extensions 

The above protocols can be used to prove that: 

— a discrete logarithm modulo a composite number n whose factorization is 
unknown to Alice belongs to an interval. Let g be an element of large order 
in Z* and h be an element of the group generated by g such that both the 
discrete logarithm of g in base h and the discrete logarithm of h in base g 
are unknown by Alice. Let x be such that y = g^ mod n. Alice randomly 
selects r and computes y' = mod n. She proves to Bob that she knows 
a discrete logarithm of y' in base h, and then that yy' = g^h'" mod n is a 
commitment to a value which belongs to the given interval. 

— a discrete logarithm modulo p (a prime number or a composite number 
whose factorization is known to Alice) belongs to an interval. Let x be such 
that Y = G® mod p. Alice randomly selects r and computes E = E{x, r) = 
g^E' mod n, a commitment to x. Then, she executes with Bob PK(x,r : 
Y = G® mod p A E = g^E mod n) (see Appendix A) and PK{x, r : E = 
g^E mod n A x G [a, b]). 

~ a third root (or, more generally, a e-th root) modulo N belongs to an interval. 
Let X be such that Y = x^ mod N. Alice randomly selects r and computes 
E = E(x,r) = g^E mod n, a commitment to x. Then, she executes with 
Bob PK{x, r : Y = x^ mod N A E = g^E mod n) (see Appendix B) and 
PK{x, r : E = g^E mod n Ax G [a, 6]). 

Note: to prove that a committed number x lies in / U J, Alice proves that x 
lies in / or a; lies in J by using a proof of “or” by [5] . 

4 Application to Verifiable Encryption 

As one of the several applications of proofs of membership to an interval, we 
present in this section an efficient (publicly) verifiable encryption scheme. 

Alice has sent two encrypted messages to Charlie and Deborah, and wants 
to prove to Bob that the two ciphertexts encrypt the same message. 

Charlie and Deborah use the Okamoto-Uchiyama [18] cryptosystem, i.e. Cha- 
rlie holds a composite number nc = p%gc {\pc\ = \lc\ = k), an element gc € 
Z*p such that the order of g^~^ mod p^ is pc, and Deborah holds a composite 
number no = P%go {\pd\ = |9 d| = k), an element go & such that the order 
of g^~^ modp|) is po- 

We denote by he = niod nc and ho = 5)3° niod no- 
To encrypt a message m such that 0 < m < 2^“^ intended to Charlie, Alice 
computes Eq = PcKj mod nc, where rc is randomly selected over Z*^. In the 
same way, she encrypts the same message m intended to Deborah by computing 
Ed = 

Now, Alice wants to prove to Bob that the two ciphertexts Ec and Ed 
encrypt the same message. 
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First, she executes with Bob PK{m, rc, ro ■ Eq = A Ed = 

mod no), a proof of equality of two committed numbers with respect to 
different moduli (see Appendix A). This only proves that she knows an integer 
m such that m mod pc and m mod po are respectively the messages decrypted 
by Charlie and Deborah. Note that if m is greater than pc and po, then m mod 
PC yf mmodp£i. So it is necessary that Alice also proves to Bob that m is 
less than pc and po ■ Alice uses the proof of membership to an interval without 
tolerance presented in section 3.1.2: PK{m,rc ■ Eq = 9cKj mod nc m G 
[0;2^“^]). Then, necessarily, m mod pc = to mod Bob is convinced that 
Alice has secretly sent the same messages to Charlie and to Deborah. 



5 Conclusion 

We have presented in this paper efficient proofs that a committed number belongs 
to an interval and give examples of applications, more particularly an efficient 
verifiable encryption scheme. By their efficiency, they are well suited to be used 
in various cryptographic protocols. 



Acknowledgements 

We would like to thank Marc Girault for helpful discussions and comments. 

References 

1. Bao, F.: An Efficient Verifiable Encryption Scheme for Encryption of Discrete 
Logarithms. Proceedings of CARDIS’98 (1998) 

2. Brickell, E., Chaum, D., Damgard, I., Van de Graaf, J.: Gradual and Verifiable 
Release of a Secret. Proceedings of CRYPTO’87, LNCS 293 (1988) 156-166 

3. Bellare, M., Rogaway, P.: Random Oracles are Practical: a Paradigm for Designing 
Efficient Protocols. Proceedings of the First Annual Gonference and Gommunica- 
tions Security (1993) 62-73 

4. Boudot, F., Traore, J.: Efficient Publicly Verifiable Secret Sharing Schemes with 
Fast or Delayed Recovery. Proceedings of the Second International Conference on 
Information and Communication Security, LNCS 1726 (1999) 87-102 

5. Cramer, R., Damgard, L, Schoenmakers, B.: Proofs of Partial Knowledge and 
Simplified Design of Witness Hiding Protocols. Proceedings of CRYPTO’94, LNCS 
839 (1997) 174-187 

6. Chaum, D., Evertse, J.-H., Van de Graaf, J.: An Improved Protocol for Demon- 
strating Possession of Discrete Logarithm and Some Generalizations. Proceedings 
of EUROCRYPT’87, LNCS 304 (1998) 127-141 

7. Chan, A., Frankel, Y., Tsiounis, Y,: Easy Come - Easy Go Divisible Cash. Pro- 
ceedings of EUROCRYPT’98, LNCS 1403 (1998) 561-575 

8. Chan, A., Frankel, Y., Tsiounis, Y,: Easy Come - Easy Go Divisible Cash. 
Updated version with corrections, GTE Tech. Rep. (1998), available at 
http : //www. CCS .neu. edu/home/yiannis/ 




Efficient Proofs that a Committed Number Lies in an Interval 



443 



9. Camenisch, J., Michels, M.: A Group Signature Scheme Based on an RSA- Variant. 
Tech. Rep. RS-98-27, BRIGS, Dept, of Comp. Sci., University of Aarhus, available 
at http://www.zurich.ibm.com/~jca/ (1998) 

10. Camenisch, J., Michels, M.: Proving in Zero-Knowledge that a Number is the 
Product of Two Safe Primes. Proceedings of EUROCRYPT’99, LNCS 1592 (1999) 
106-121 

11. Camenisch, J., Michels, M.: Separability and Efficiency for Generic Group Signa- 
ture Schemes. Proceedings of CRYPTO’99, LNCS 1666 (1999) 413-430 

12. Chaum, D., Pedersen, T.-P.: Wallet Databases with Observers. Proceedings of 
CRYPTO’92, LNCS 740 (1992) 89-105 

13. Fujisaki, E., Okamoto, T.: Statistical Zero Knowledge Protocols to Prove Modular 
Polynomial Relations. Proceedings of CRYPTO’97, LNCS 1294 (1997) 16-30 

14. Fujisaki, E., Okamoto, T.: A Practical and Provably Secure Scheme for Publicly 
Verifiable Secret Sharing and Its Applications, Proceedings of EUROCRYPT’98, 
LNCS 1403 (1998) 32-46 

15. Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification 
and Signature Problems. Proceedings of CRYPTO’86, LNCS 263 (1986) 186-194 

16. Girault, M.: Self-Certified Public Keys. Proceedings of EUROCRYPT’91, LNCS 
547 (1991) 490-497 

17. Mao, W.: Guaranteed Correct Sharing of Integer Factorization with Off-line Share- 
holders. Proceedings of Public Key Cryptography 98, (1998) 27-42 

18. Okamoto, T., Uchiyama, S.: A New Public-Key Cryptosystem as Secure as Fac- 
toring. Proceedings of EUROCRYPT’98, LNCS 1403 (1998) 308-318 

19. Schnorr, C.-P.: Efficient Signature Generation for Smart Cards Journal of Cryp- 
tology, (4:3) (1991) 239-252 



A Proof of Equality of Two Committed Numbers in 
Different Moduli 

This proof originally appeared in [4] and independently in [10] in a more general 
form. 

Let t, I and s be three security parameters. Let rii be a large composite 
number whose factorization is unknown by Alice and Bob, and ri2 be another 
large number, prime or composite whose factorization is known or unknown by 
Alice. Let gi be an element of large order in Z*^ and hi be an element of the 
group generated by gi such that both the discrete logarithm of gi in base hi 
and the discrete logarithm of hi in base gi are unknown by Alice. Let g2 be 
an element of large order in Z* ^ and ft-2 be an element of the group generated 
by 52 such that both the discrete logarithm of 52 in base ft-2 and the discrete 
logarithm of ft-2 in base 52 are unknown by Alice. Let H he a, hash- function which 
outputs 2t-bit strings. We denote by Ei{x,ri) = gfh\^ mod ni a commitment 
to X in base (51, hi) where ri is randomly selected over {— 2®n + 1, ..., 2 ^n — 1}, 
and E2{x,r2) = mod ri2 a commitment to x in base (52,^2) where V2 is 

randomly selected over {— 2 ^n + 1, ..., 2®n — 1}. 

Alice secretly holds a; C {0 , . . . , &}. Let E = Ei{x, ri) and E = E2{x, V2) be 
two commitments to x. She wants to prove to Bob that she knows x, ri, V2 such 
that E = Ei{x, ri) and E = E2{x, T2), i.e. that E and E hide the same secret x. 
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Protocol: PK{x, ri, T2 ■ E = Ei{x, ri) mod ni A E = E2{x, V2) mod 712). 

1 . Alice picks random w € { 1 , . . . , — 1 }, rji e — 1}, 772 G 

{ 1 , . . . , 2 ^+*+^n — 1 }. Then, she computes ITi = mod rii and IT2 = 

32 ^2^ mod U2- 

2 . Alice computes c= H{W\ || IT2)- 

3 . She computes D = u> + cx, D\ = rji + cri, D2 = r]2 + 0x2 (in Z) and sends 
(c, D, Di, D2) to Bob. 

4 . Bob checks whether c = E[{gfhi^ E~'^ mod n\ |j mod 77-2). 



Note that this protocol can be used to prove the equality of more than two 
committed numbers, or to prove the equality of a committed number modulo rii 
and a discrete logarithm modulo U2 by setting X2, 772 and D2 to zero. 



B Proof of Equality of a Third Root and a Committed 
Number 

This proof is derived from [ 14 ]. 

Let 77 1 be a large composite number whose factorization is unknown by Alice 
and Bob, and 772 be another large composite number whose factorization is 
known or unknown by Alice. Let 31 be an element of large order in Z* ^ and hi be 
an element of the group generated by 31 such that both the discrete logarithm of 
3i in base hi and the discrete logarithm of hi in base 31 are unknown by Alice. 
We denote by Ei{x,ri) = gfh\^^ mod 771 a commitment to x in base (31, hi) 
where ri is randomly selected over {— 2 ®t7 + 1 , ..., 2 ^n — 1 }. We also denote by 
E2{x) = x^ mod 772 a RSA(t72, 3 ) encryption of x. 

Alice secretly holds x G { 0 ,...,&}. Let E = ifi(a;,ri) and E = E2{x) = 
x^ mod 772 be a commitment to x and a RSA encryption to x. She wants to 
prove to Bob that she knows x and ri such that E = Ei{x, ri) and E = E2{x), 

i.e. that E and E hide the same secret x. 

Protocol: PK{x, ri, X2 ■ E = Ei{x, ri) mod rii A E = E2{x) mod 772). 

1 . Alice computes a = (in Z), G2 = Ei{x‘^,r2), G3 = Ei{x^,r^) and 

Z = Ei{au2, -rs). 

2 . Alice proves to Bob that E, G2 and G3 are commitments to the same value 
respectively in bases (31, hi), {E, hi) and (Gi, h-i), and that she knows which 
value is committed by Z in base (3”^, hi). 

3 . Bob checks these proofs, computes T = g[ mod t7i and checks that T = 
G3Z mod 77i. 
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Abstract. In this paper we present a new scheme for constructing uni- 
versal one-way hash functions that hash arbitrarily long messages out of 
universal one-way hash functions that hash fixed-length messages. The 
new construction is extremely simple and is also very efficient, yielding 
shorter keys than previously proposed composition constructions. 



1 Introduction 

In this paper we consider the problem of constructing universal one-way hash 
functions (UOWHFs). 

The notion of a UOWHF was introduced by Naor and Yung [NY89]. A 
UOWHF is a keyed hash function with the following property: if an adversary 
chooses a message x, and then a key K is chosen at random and given to the 
adversary, it is hard for he adversary to find a different message x' ^ x such that 
Hk{x)=Hk{x'). 

As a cryptographic primitive, a UOWHF is an attractive alternative to the 
more traditional notion of a collision-resistant hash function (CRHF), which is 
characterized by the following property: given a random key K, it is hard to find 
two different messages x,x' such that Hk{x) = Hk{x'). 

A reasonable approach to designing a UOWHF that hashes messages of ar- 
bitrary and variable length is to first design a compression function, that is, 
UOWHF that hashes fixed-length messages, and then design a method for com- 
posing these compression functions so as to hash arbitrary messages. In this 
paper, we address the second problem, that of composing compression func- 
tions. The main technical problem in designing such composition schemes is to 
keep the key length of the composite scheme from getting too large. 

This composition problem was studied in some detail by Bellare and Rogaway 
[BR97] . They proposed and analyzed several composition schemes. 

In this paper, we propose and analyze a new composition scheme. This scheme 
is extremely simple, and yields shorter keys than previously proposed schemes. 

We also suggest an efficient and concrete implementation based on our com- 
position technique, using a standard “off the shelf” compression function, like 
SHA-1, under the weak assumption of second preimage collision resistance. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 445-452, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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2 UOWHFs versus CRHFs 

A UOWHF is an attractive alternative to a CRHF because 

(1) it seems easier to build an efficient and secure UOWHF than to build an 
efficient and secure CRHF, and 

(2) in many applications, most importantly for building digital signature 
schemes, a UOWHF is sufficient. 

As evidence for claim (1), we point out the recent attacks on MD5 
[dBB93,Dob96]. We also point out the complexity theoretic result of Simon 
[Sim98] that shows that there exists an oracle relative to which UOWHFs exist 
but CRHFs do not. CRHFs can be constructed based on the hardness of spe- 
cific number-theoretic problems, like the discrete logarithm problem [Dam87]. 
Simon’s result is strong evidence that CRHFs cannot be constructed based on 
an arbitrary one-way permutation, whereas Naor and Yung [NY89] show that a 
UOWHF can be so constructed. 

As for claim (2), one of the main applications of collision resistant hashing is 
digital signatures. The idea is to create a short “message digest” that can then 
be signed using a signature algorithm that needs to work only on short messages. 
As pointed out by Bellare and Rogaway [BR97], a UOWHF suffices for this. To 
sign a message x, the signer chooses a key K for a UOWHF H, and produces the 
signature (K, a{K, Hk{x))), where a is the underlying signing function for short 
messages. For some UOWHFs, the key K can grow with the message length — 
indeed, the scheme we propose here has a key that grows logarithmically with the 
message length. This can lead to technical difficulties, since then the message 
we need to sign with a can get too large. One solution to this problem is to 
instead make the signature {K, a{HK'{K), Hk{x))), where K' is a UOWHF key 
that is part of the signer’s public key. This is a somewhat simpler solution to 
this problem than the one presented in [BR97], and we leave it to the reader to 
verify the security of this composite signature scheme. 

Naor and Yung [NY89] in fact show how to build a secure digital signa- 
ture scheme based solely on a UOWHF; however, the resulting scheme is not 
particularly practical. 

3 Previous Composition Constructions 

We briefly summarize here previous constructions for composing UOWHFs. 

We assume we have UOWHF H that maps strings of length a to strings of 
length 5, where a > b, and that H is keyed by a key K. The goal is to build 
from this a composite UOWHF that hashes messages of arbitrary and variable 
length. To simplify the discussion, we restrict our attention in this section to the 
problem of hashing long, but fixed-length messages. There are general techniques 
to deal with variable length messages (see [BR97]). 

The simplest construction is the linear hash. Let m = a — b. Suppose the 
message x consists of I blocks x\, . . . ,xi, where each block is an m-bit string. 
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Then using I keys Ki,... , Ki for H, and an arbitrary 6-bit “initial vector” 
ho, we compute hi for 1 < i < I a,s hi = Hxiihi-i o Xi), where “o” denotes 
concatenation. The output of the composite hash function is hi. 

The security of this scheme is analyzed in detail in [BR97] . Note that we need 
to use I independent keys K\, . . . ,Ki. If we use instead just a single key, the 
resulting scheme does not necessarily preserve the UOW property of the com- 
pression function. This situation is quite different from the situation where we 
are constructing a composite hash function out of a CR compression function; in 
that situation, the composite hash function does indeed inherit the CR property 
from the compression function [Dam89,Mer89]. 

Although the linear hash is quite simple, it is not very attractive from a 
practical point of view, as the key length for the composite scheme grows linearly 
with the message length. 

If the keys for the compression function are longer than the output length 6 of 
the compression function, then a variant of the linear hash, the XOR linear hash 
[BR97], yields somewhat shorter, though still linear sized keys. In this scheme, 
we use a single key K for the compression function H , and in addition, the key 
of the composite scheme has I “masks” Mi, ... ,Mi, each of which is a random 
6-bit string. The scheme is then the same as the linear hash, except that we 
compute 6i for 1 < z < ^ as 6i = i7x((6i_i 0 Mi) o Xi). 

As pointed out by Naor and Yung [NY89], we can get composite schemes with 
logarithmic key size by using a tree hash, which is the same as a construction 
proposed by Wegman and Carter [WC81] for composing universal hash functions. 
For simplicity, assume that a = bd for an integer d, and that we want to hash 
messages of length bd* for some t > 0. Then we hash using a tree evaluation 
scheme, where at each level z of the tree, for 1 < z < t, we hash 6d® bits to 6d®“^ 
bits. At a given level z, we apply the compression function H d^~^ times, using 
the same key Ki. So in the composite scheme we need t keys K\, . . . ,Kt. 

If the keys of the compression function are long, a more efficient scheme is 
the XOR tree hash [BR97]. This is the same as the tree hash scheme, except 
as follows. We used a single compression function key K, and in addition, we 
use t “masks” Mi, . . . ,Mt, each of which is a random a-bit string. Whenever 
we evaluate the compression function at level z in the tree, we “mask” its input 
with Mi] that is, we compute its input as the bit-wise exclusive-or of Mi and the 
input used in the normal tree hash. 

The new scheme we present in the next section most closely resembles the 
XOR linear hash, except that we re-use the masks as much as possible to min- 
imize the key length. The key length of the new scheme is smaller (asymptoti- 
cally) than the key length of the XOR tree hash by a factor of d/ log 2 d, while at 
the same requiring essentially the same amount of computation. This, combined 
with the fact that the new scheme is extremely simple, makes it an attractive 
alternative to the XOR tree hash. 
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4 The New Scheme 

We now describe our new scheme, which is the same as the XOR linear hash, 
except that we get by with a smaller number of masks. Since it is not difficult 
to do, we describe how our scheme works for variable length messages. 

Again, our starting point is a UOW compression function H that is keyed 
by a key K, and compresses a bits to b bits. Let m = a — b. We assume that a 
message x is formatted as a sequence of I blocks xi, . . . ,xi, each of which is an 
m-bit string, and we assume that the last block xi encodes the bit length of x 
in some canonical way. The number of blocks I may vary, but we assume that 
I < L for some given L. 

The key for the composite scheme consists of a single key K for H, together 
with a number of “masks,” each of which is a random 6-bit string. We need t-l- 1 
masks Mq, . . . , Mt, where t = [log 2 L] . 

To define the scheme, we use the function 1^2 (*) which counts the number of 
times 2 divides i, i.e., for z > 1, is the largest integer i' such that 2^ divides 
i. 

The hash function is defined as follows. Let ho be an arbitrary 6-bit string. 
For 1 < z < ^, we define hi = 0 hi-\) o Xi). The output of the 

composite hash is hi. 

Theorem 1. If H is a UOWHF, then the above composite scheme is also a 
UOWHF. 

The remainder of this section is devoted to a proof of this theorem. We show 
how an adversary A that finds collisions in the composite scheme can be turned 
into an adversary A! that finds collisions in the compression function H. This 
reduction is quite efficient: the running time of A' is essentially the same as that 
of A, and if A finds a collision with probability e, then A! finds a collision with 
probability about ejL. 

We begin with an auxiliary definition. Let x be an input to the composite 
hash function; for 1 < z < ^, define Si{x) be the first 6 bits of the input to the 
zth application of the compression function H. The definition of St{x) depends, 
of course, on the value of the composite hash function’s key, which will be clear 
from context. 

Consider the behavior of adversary A. Suppose its first message x — the “tar- 
get” message — is formatted as x\,. . . ,xi, and its second message x' that yields 
the collision is formatted as a; ^ , . . . , x[, . 

For this collision, we let 6 be the smallest nonnegative integer such that 
Si-s{x) o Xi yf Sv-s(x') o x'. Since we are encoding the bit length of a message 
in the last message block, if the bit lengths of x and x' differ, then clearly <5 = 0. 
Otherwise, I = I' and it is easy to see that <5 is well defined. 

The pair Sis{x) o Xi, Sv s{x') o x'^ will be the collision on Hk that A' finds. 

The adversary A' runs as follows. We let A choose its first message x. Then 
A' guesses the value of <5 at random. This guess will be right with probability 
1/L. A' now constructs its target message as S' o xi-s, where S is a random 
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6-bit string. Now a random key K for the compression function H is chosen. 
The task of A! is to generate masks Mq, . . . , Mt such that the composite key 
{K, Mo, . . . , Mt) has the correct distribution, and also that Sis{x) = S. Once 
this is accomplished, the adversary A attempts to find a collision with x. If A 
succeeds, and if the guess at 6 was correct, this will yield a collision for A! . 

We now present a “key construction” algorithm that on input x,5,K,S,t 
as above, generates masks Mq, . . . , Mt as required. The algorithm to do this is 
described in Figure 1. 



for (i ^ 0; j <t\ i <— i + 1) statusj ^ “undefined” 

Si-s ^ S 

status^^Q-s) <— “being defined” 
for (f ^ — (5 — 1; i > 1; f <— f — 1) { 
j ^ V2{i) 

(1) if (statuSj = “undefined”) { 

choose Si as a random 6-bit string 
statuSj <— “being defined” 
hi ^ HK{Si o Xi) 

i ^ i + 1-, j ^ V2{i) 
while {statusji A “being defined”) { 
hi' i (J) A/,y2(C)) ^ Xi>) 

i ^ i -\-l\ j ^ V2{i ) 

} 

Mji < — hi/ _i © Si/ 

statuSj/ <— “defined” 

} 

} 

* ^ 1; i ^0 

while {statuSj/ A “being defined”) { 
hi/ i H K {,{hi / _ J © ) o Xi / ) 

i ^ i +1\ j ^ V2[i ) 

} 

Mj/ < — hi / © Si/ 
statuSj/ <— “defined” 

for {j ^ 0; j < t- j ^ j + 1) 

if (statuSj = “undefined” ) choose Mj as a random 6-bit string 



Fig. 1. Key Construction Algorithm 



We can describe the algorithm at a high level as follows. During the course 
of execution, each mask Mj, for 0 < j < t, has a status, status j, where the 
status is one of the values “undefined,” “being defined,” or “defined.” Initially, 
each status value is “undefined.” As the algorithm progresses, the status of a 
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mask changes first to “being defined,” and finally to “defined,” at which point 
the algorithm actually assigns a value the mask. 

The algorithm starts at block I — 6, and assigns the value S to Si-s, where 
in general. Si represents the value of Si{x) for 1 < i < 1. The algorithm sets the 
status of mask 1 ^ 2(1 — <5) to “being defined.” Now the algorithm considers blocks 
I — 6 — 1,1 — 6 — 2, .. . ,1 in turn. When it reaches block i in this “right to left 
sweep,” it looks at the status of mask j = V 2 {i). As we shall prove below, the 
status of this mask j is never “being defined” at this moment in time. If the status 
is “defined,” it skips to the next value of i. If the status is “undefined,” then 
it chooses Si at random, and changes the status of mask j to “being defined.” 
The algorithm also runs the hash algorithm from “left to right,” computing 
hi, ft-i+i, . . . , hi'-i, until it finds a block i' whose mask j' = has the status 

“being defined.” At this point, the mask / is computed as Mji = hif-i 0 Si>, 
and the status of mask / is changed to “defined.” Thus, at any point in time, 
there is exactly one mask whose status is “being defined,” except briefly during 
the “left to right hash evaluation.” 

When the algorithm finishes the “right to left sweep,” there will still be one 
mask whose status is “being defined,” and the “left to right hash evaluation” 
as described above is used to define this mask, thereby converting its status to 
“defined.” There may still be other masks whose status is “undefined,” and these 
are simply assigned random values. 

The key to analyzing this algorithm is to show that when we visit block 
i in the “right to left sweep,” we do not encounter a mask j = V 2 (i) such 
that the status of mask j is “being defined.” Let us make this more precise. 
As i runs from 1 — 5—1 down to 1 in the main loop, let Vi be the value of 
statusj when the line marked (1) in Figure 1 is executed. We prove below in 
Lemma 1 that Vi yf “being defined” for all i. So long as this is the case, we 
avoid circular definitions, and it is easy to see that the algorithm constructs 
masks Mq, . . . , Mt with just the right distribution. Indeed, the key construction 
algorithm implicitly defines a one-to-one map between tuples {K, Mq, . . . , Mt) 
and {K, S, S^^\ . . . , where S^^\ . . . , are randomly chosen 6-bit strings, 
and S = Si-s{x). 

So the proof of Theorem 1 now depends on the following lemma. 

Lemma 1. For l<i<l — 6 — 1, Vjyf “being defined. ” 

To prove this lemma, we need two simple facts, which we leave to the reader 
to verify. 

Fact 1. For any positive integers A < B with i^ 2 (A) = V 2 {B), there exists an 
integer C with A < C < B and 1^2 (C*) > ^^ 2 (A). 

Fact 2. For any positive integers A < B, and for any nonnegative integer v < 
min{i^ 2 (A), V 2 {B)}, there exists an integer C with A < C < B and V 2 {C) = v. 

Now to the proof of the lemma. Suppose Vi = “being defined” for some i, 
and let A be the largest such value of i. Then there must be a unique integer B 




A Composition Theorem for Universal One-Way Hash Functions 451 



with A < B < I — 6 such that V2{B) = V2{A). This is the point where we set the 
status of mask V2{A) to “being defined.” The uniqueness of B follows from the 
maximality of the choice of A. 

By Fact 1, there must be an index C with A < C < B and i^2{C) > ^2{A). 
There may be several such C; among these, choose from among those with 
maximal V2{C), and from among these, choose the largest one. 

We claim that Vc = “defined.” To see this, note that we cannot have Vc = 
“being defined,” since we chose A to be the maximal index with this property. 
Also, we could not have since Vc = “undefined,” since then we would have 
defined mask 1^2 (A) at this point, and we would have Va = “defined.” 

Since Vc = “defined,” we must have set the status of mask 1^2 (C*) to “being 
defined” in a loop iteration prior to C . Thus, there must exist D with C < D < 
I — S and V2{D) = V2{C). By the way we have chosen C, we must have D > B. 

Again by Fact 1, there exists integer E with C < E < D, and 122(E) > 122(C). 
Again, by the choice of C, we must have E > B. 

Finally, by Fact 2, there exists an integer E with E < E < D and 122(E) = 
122(A). So we have B < E < I — 6 with 122(E) = 122(A), which is a contradiction. 
That completes the proof of the lemma. See Figure 2 for a visual aid. 



A C B E F D 

Fig. 2. From the proof of Lemma 1. The vertical lines represent the relative 
magnitudes of the corresponding values of V2. 



5 A Concrete Implementation 

In this section, we suggest a concrete implementation for a practical UOWHF. 

Given a method for building a composite UOW hash function out of a UOW 
compression function, one still has to construct a UOW compression function. 
A pragmatic approach is to use an “off the shelf” compression function such 
as the SHA-1 compression function C : {0, x {0, 1}®^^ ^ {0, 1}^®®. The 
assumption we make about C is that it is second preimage collision resistant, 
i.e., if a random input (S,B) is chosen, then it is hard to find different input 
(S',B') yf (S,B) such that C(S,B) = C(S',B'). This assumption seems to be 
much weaker than assumption that no collisions in C can be found at all (which 
as an intractability assumption is not even well defined) . Indeed, the techniques 
used to find collisions in MD5 [dBB93,Dob96] do not appear to help in finding 
second preimages. 
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Note that from a complexity theoretic point of view, second preimage collision 
resistance is no stronger than the UOW property. Indeed, if Hk{x) is a UOWHF, 
then the function sending {K,x) to {K,Hk{x)) is second preimage collision 
resistant. 

The second preimage resistance assumption on C allows us to build a UOW 
compression function as follows. The key is a random element (S', B) in the 
domain of C, and the value of the compression function on (S, B) is C{S 0 
S,i?©B). 

We could apply our composition construction directly to this. However, there 
is one small optimization possible; namely, we can eliminate S from the key. 

We can now put this all together. Assume that a message x is formatted as a 
sequence xi, . . . , x/ of 512-bit blocks, where the last block encodes the bit length 
of X. Let L be an upper bound on I, and let t = [log 2 L \ . The key for our hash 
function consists of a random 512-bit string B, along with t + 1 160-bit strings 
Mq, . . . , Mt- Then the hash of x is defined to be hi, where ho is an arbitrary 
160-bit string, and hi = C{hi-\ © © 5) for 1 < i < L 

Our analysis shows that this hash function is UOW, assuming C is second 
preimage collision resistant. 
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Abstract. We study the problem of partial key exposure. Standard cryp- 
tographic definitions and constructions do not guarantee any security 
even if a tiny fraction of the secret key is compromised. We show how to 
build cryptographic primitives that remain secure even when an adver- 
sary is able to learn almost all of the secret key. 

The key to our approach is a new primitive of independent interest, 
which we call an Exposure-Resilient Function (ERF) - a determinis- 
tic function whose output appears random (in a perfect, statistical or 
computational sense) even if almost all the bits of the input are known. 
erf’s by themselves efficiently solve the partial key exposure problem 
in the setting where the secret is simply a random value, like in private- 
key cryptography. They can also be viewed as very secure pseudorandom 
generators, and have many other applications. 

To solve the general partial key exposure problem, we use the (gener- 
alized) notion of an All-Or-Nothing Transform (AONT), an invertible 
(randomized) transformation T which, nevertheless, reveals “no informa- 
tion” about X even if almost all the bits of T{x) are known. By applying 
an AONT to the secret key of any cryptographic system, we obtain 
security against partial key exposure. To date, the only known security 
analyses of AONT candidates were made in the random oracle model. 
We show how to construct ERF’s and AONT’s with nearly optimal 
parameters. Our computational constructions are based on any one-way 
function. We also provide several applications and additional properties 
concerning these notions. 



1 Introduction 

A great deal of cryptography can be seen as finding ways to leverage the posses- 
sion of a small but totally secret piece of knowledge (a key) into the ability to 
perform many useful and complex actions: from encryption and decryption to 
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identification and message authentication. But what happens if our most basic 
assumption breaks down — that is, if the secrecy of our key becomes partially 
compromised? 

It has been noted that key exposure is one of the greatest threats to security in 
practice [1]. For example, at the Rump session of CRYPTO ’98, van Someren [23] 
illustrated a breathtakingly simple attack by which keys stored in the memory of 
a computer could be identified and extracted, by looking for regions of memory 
with high entropy. Within weeks of the appearance of the followup paper [21], a 
new generation of computer viruses emerged that tried to use these ideas to steal 
secret keys [8]. Shamir and van Someren [21] gave some heuristic suggestions on 
preventing these kinds of attacks, but their methods still do not solve the problem 
of partial exposure. 

Unfortunately, standard cryptographic definitions and constructions do not 
guarantee security even if a tiny fraction of the secret key is exposed. Indeed, 
many constructions become provably insecure (the simplest example would be 
“one-time pad” encryption), while the security of others becomes unclear. In this 
work, we show how to build cryptographic primitives, in the standard model 
(i.e., without random oracles) and using general computational assumptions, 
that remain provably secure even when the adversary is able to learn almost all 
of the secret key. Our techniques also have several applications in other settings. 

Previous Approaches and Our Goals. The most widely considered solutions 
to the problem of key exposure are distribution of keys across multiple servers 
via secret sharing [20,3] and protection using specialized hardware. Distribution 
across many systems, however, is quite costly. Such an option may be available 
to large organizations, but is not realistic for the average user. Similarly, the 
use of specially protected hardware (such as smartcards) can also be costly, 
inconvenient, or inapplicable in many contexts. 

Instead, we seek to enable a single user to protect itself against partial key 
exposure on a single machine. A natural idea would be to use a secret sharing 
scheme to split the key into shares, and then attempt to provide protection by 
storing these shares instead of storing the secret key directly. However, secret 
sharing schemes only guarantee security if the adversary misses at least one share 
in its entirety. Unfortunately, each share must be fairly large (about as long as 
the security parameter). Thus, in essence we return to our original problem: 
even if an adversary only learns a small fraction of all the bits, it could be 
that it learns a few bits from each of the shares, and hence the safety of the 
secret can no longer be guaranteed. We would like to do better. (Indeed, our 
techniques provide, for certain parameters, highly efficient computational secret 
sharing schemes [15], where the size of secret shares can be as small as one bit\ 
See Remark 9 in Section 5.1.) 

The All-or-Nothing Transform. Recently Rivest [19], motivated by different 
security concerns arising in the context of block ciphers, introduced an intriguing 
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primitive called the All-Or-Nothing Transform (AONT). An AONT^ is an 
efficiently computable transformation on strings such that: 

— For any string , given (all the bits of) ( ), one can efficiently recover . 

— There exists some threshold i such that any polynomial-time adversary that 
(adaptively) learns all but £ bits of ( ) obtains “no information” about . 

The AONT solves the problem of partial key exposure: rather than storing a 
secret key directly, we store the AONT applied to the secret key. If we can build 
an AONT where the threshold value £ is very small compared to the size of the 
output of the AONT, we obtain security against almost total exposure. Notice 
that this methodology applies to secret keys with arbitrary structure, and thus 
protects all kinds of cryptographic systems. One can also consider more general 
AONT’s that have a two-part output: a public output that doesn’t need to be 
protected (but is used for inversion), and a secret output that has the exposure- 
resilience property stated above. Such a notion would also provide the kind of 
protection we seek to achieve. As mentioned above, AONT has many other 
applications, such as enhancing the security of block-ciphers, hash functions and 
making fixed-blocksize encryption schemes more efficient (e.g., [14,22]). For an 
excellent exposition on these and other applications of the AONT, see [4]. 

Our Results. Until now, the only known analysis of an AONT candidate was 
carried out by [4], who showed that Bellare and Rogaway’s Optimal Asymmetric 
Encryption Padding (OAEP) [2] yields an AONT in the Random Oracle model. 
However, analysis in the Random Oracle model provides only a limited security 
guarantee for real-life schemes where the random oracle is replaced with an actual 
hash function [5].^ In this work, we give the first constructions for AONT’s with 
essentially optimal resilience in the standard model, based only on computational 
assumptions. 

The key to our approach and our main conceptual contribution is the notion 
of an Exposure-Resilient Function (ERF) — a deterministic function whose 
output appears random even if almost all the bits of the input are revealed. 
We believe this notion is useful and interesting in its own right. Consider for 
example an ERF with an output that is longer than its input — this can be 
seen a particularly strong kind of pseudorandom generator, where the generator’s 
output remains pseudorandom even if most of the seed is known. ERF’s provide 
an alternative solution to AONT for the partial key exposure problem, since (at 
least, in principle) we can assume that our secret key is a truly random string 
(say, the randomness used to generate the actual secret key) . In such a case, we 
choose and store a random value and use /( ) (where / is an ERF) in place 
of . In many settings (such as in private-key cryptography) this alternative is 
much more efficient than AONT. Another application of ERF’s is for protecting 
against gradual key exposure, where no bound on the amount of information the 

^ Here we informally present a refinement of the definition due to Boyko [4]. 

^ Though for a much weaker definition, Stinson [25] has given an elegant construc- 
tion for AONT with security analysis in the standard setting. As observed by [4], 
however, this construction does not achieve the kind of security considered here. 
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adversary obtains is assumed; instead, we assume only a bound on the rate at 
which that the adversary gains information. 

Our main results regarding ERF’s and AONT’s are summarized as follows. 

— We show how to construct, from any one-way function, for any e > 0, an 
ERF mapping an input of n bits to an output of any size polynomial in n, 
such that as long as any n'^ bits of the input remain unknown, the output 
will be pseudorandom. 

— We build an unconditionally secure ERF whose output of size k is statis- 
tically close to uniform provided one misses only i = k + o(k) bits of the 
input. This is optimal up to the lower order term, as no unconditionally 
secure ERF’s exist when k 1. 

— Furthermore, we show that any computationally secure ERF with k i 
implies the existence of one-way functions. 

— We give a simple construction of an AONT based on any ERF. For any 

e > 0, we show how to achieve a resilience threshold of ^ where is 

the size of the output of the AONT. If viewed as an AONT with separate 
public and secret outputs, then the size of the output of the AONT can be 
made optimal as well. 

— We show that the existence of an AONT with i k—1, where k is the size 
of the input, implies the existence of one-way functions. We show that this 
result is tight up to a constant factor by constructing an unconditionally 
secure AONT with £ = (fc) using no assumptions. 

— We give another construction of an AONT based on any length-preserving 

function / such that both [ '—*■/()] and [ '—*■/()©] are ERF’s. 

This construction is similar to the OAEP, and so our analysis makes a step 
towards abstracting the properties of the random oracle needed to make the 
OAEP work as an AONT. It also has the advantage of meeting the standard 
definition of an AONT (without separate public and secret outputs) while 
retaining a relatively short output length. 

— Finally, we show that a seemingly weaker “average-case” definition of AONT 
is equivalent to the standard “worst-case” definition of AONT, by giving 
an efficient transformation that achieves this goal. 

Previous Work. Chor et al. [6] considered a notion called a t-resilient function, 
which are related to our notion of an Exposure-Resilient Function (ERF). A t- 
resilient function is a function whose output is truly random even if an adversary 
can fix any t of the inputs to the function. This turns out to be equivalent to the 
strongest formulation of unconditional security for an ERF. We give construc- 
tions for statistical unconditionally secure ERF’s that beat the impossibility 
results given in [6], by achieving an output distribution that is not truly ran- 
dom, but rather exponentially close in statistical deviation from truly random. 

The concern of forward-security (or, protection from the complete exposure 
of past keys) was considered by Diffie et. al. [7] in the context of key exchange, 
and by Bellare and Miner [1] in the context of signature schemes. These works 
prevent an adversary that gains current secret keys from being able to decrypt 
past messages or forge signatures on messages “dated” in the past. In contrast. 
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our work deals with providing security for both the future as well as the past, 
but assuming that not all of the secret key is compromised. 

Organization. Section 2 briefly defines some preliminaries. Section 2.1 defines 
Exposure-Resilient Functions and All-Or-Nothing Transforms. Section 4 talks 
in detail about constructions and application of ERF’s, while Section 5 is con- 
cerned with constructing and examining the properties of AONT’s. 

2 Preliminaries 

For a randomized algorithm and an input , we denote by ( ) the output 
distribution of on , and by ( ; ) we denote the output string when using 

the randomness . We write m = ol (k) to indicate that m is polynomially 
bounded in k. In this paper we will not optimize certain constant factors which 
are not of conceptual importance. Unless otherwise specified, we will consider 
security against nonuniform adversaries. 

Let {^} denote the set of size-^ subsets of [n] = {l...n}. For L e {^}, 
G {0 1}”, let [ ]i denote restricted to its (n — t) bits not in L. We denote 
by 0 the bit-wise exclusive OR operator. 

We recall that the statistical difference (also called statistical distance) be- 
tween two random variables and on a finite set is defined to be 

max Pr [ G ] - Pr [ G ] = ^ ' XI | [ = ] “ P'' t = ] 

~ a 

Given two distributions and B, we denote by =c B { B, = B) the fact 
that they are computationally (statistically within e, perfectly) indistinguishable 
(see, for instance, [9] ) . For the case of statistical closeness, we will always have e 
negligible in the appropriate security parameter. When the statement can hold 
for any of the above choices (or the choice is clear from the context), we simply 
write « B. 

3 Definitions 

In this section, we define the central concepts in our paper: Exposure-Resilient 
Functions (ERF’s) and All-Or-Nothing Transforms (AONT’s). An ERF is a 
function such that if its input is chosen at random, and an adversary learns 
all but I bits of the input, for some threshold value i, then the output of the 
function will still appear (pseudo) random to the adversary. Formally, 

Definition 1. A polynomial time computable function f : {0 1}” ^ {0 1}^ 
is ^-ERF (exposure-resilient function) if for any L G {^} and for a randomly 
chosen G {0 1}”, G {0 1}^, the following distributions are indistinguishable: 

([ ]l /())«([ ]l ) (1) 

Here « can refer to perfect, statistical or computational indistinguishability. 




458 



Ran Canetti et al. 



Remark 1. Note that this is a “non-adaptive” version of the definition. One 
may also consider an adaptive version of the definition, where the adversary 
may adaptively choose one-bit-at-a-time which n — i positions of the input to 
examine. Owing only to the messiness of such a definition, we do not give a formal 
definition here, but we stress that all our constructions satisfy this adaptive 
definition, as well. 

The definition states that an ERF transforms n random bits into k (pseudo) 
random bits, such that even learning all but (. bits of the input, leaves the output 
indistinguishable from a random value. There are several parameters of interest 
here: i, n, and k. We see that the smaller i is, the harder is to satisfy the 
condition above, since fewer bits are left unknown to the adversary. In general, 
there are two measures of interest: the fraction of t with respect to n, which we 
would like to be as small as possible (this shows the “resilience”); and the size 
of k with respect to i, which we want to be as large as possible (this shows how 
many pseudorandom bits we obtain compared to the number of random bits the 
adversary cannot see). We now define the notion of an AONT: 

Definition 2. A randomized polynomial time computable function : {0 1}^ ^ 
{0 1}^ X {0 1}P is ^-AONT (all-or-nothing transform) if 

1. is efficiently invertible, i.e. there is a polynomial time machine I such that 

for any G {0 1}^ and any = ( i 2 ) G { ), we have /( ) = . 

2. For any L G {|}, any 0 1 G {0 1}^ we have 

( 0 1 [ ( o)]l) « ( 0 1 [ ( i)]z) (2) 

In other words, the random variables w {[ ( )]l | G {0 1}^} are all 
indistinguishable from each other. Here « can refer to perfect, statistical or 
computational indistinguishability. 

If ( ) = ( 1 2 ), we call 1 the secret output and 2 the public output of . 

If =0 (there is no public output), we call a secret-only ^-AONT. 

Remark 2. Note again, as in Remark 1, that the definition given here is a “non- 
adaptive” definition. We stress that all our constructions satisfy the correspond- 
ing adaptive definition, as well. 



Remark 3. The above definition is “indistinguishability” based. As usual, one 
can make the equivalent “semantic security” based definition, where the adver- 
sary, given = [ ( )]£ (where is picked according to some distribution ), 
cannot compute satisfying some relation 1Z{ ) “significantly better” than 

without at all. The proof of equivalence is standard and is omitted. Thus, the 
all-or-nothing transforms allow one to “encode” any in such a form that the 
encoding is easily invertible, and yet, an adversary learning all but I bits of the 
(secret part of the) encoding “cannot extract any useful information” about . 
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Remark 4- The definition given above generalizes and simplifies (because there 
are no random oracles) the formal definition for secret-only AONT given by 
Boyko [4] (refining an earlier definition of Rivest [19]) in a setting with a random 
oracle. In particular, while previous definitions were restricted to secret-only 
AONT, our definition allows one to split the output into two sections: a secret 
part 1 and a public part 2 • The public part of the output requires no protection 
— that is, it is used only for inversion and can be revealed to the adversary in 
full. The security guarantee states that as long as £ bits of the secret output 1 
remain hidden (while all the bits of 2 can be revealed), the adversary should 
have “no information” about the input. We note that our generalized notion 
of AONT solves the problem of partial key exposure and also remains equally 
applicable to all the other known uses of the secret-only AONT. However, we 
will see that it gives us more flexibility and also allows us to characterize the 
security of our constructions more precisely. 

Boyko [4] showed that, in the random oracle model, the following so called 
“optimal asymmetric encryption padding” (OAEP) construction of [2] is a 
(secret-only) AAONT (where I can be chosen to be logarithmic in the security 
parameter). Let : {0 1}” ^ {0 1}^ and : {0 1}^ ^ {0 1}” be random ora- 
cles (where n is any number greater than ti). The randomness of is <— {0 1}”. 
Define ( ; ) = {u t), where u = ( ) 0 , t = (u) 0 . We note that the 

inverse I{u t) = ( (u)(Bt)(Bu. No constructions of AONT based on standard 
assumptions were previously known. 

Remark 5. The notions of ERF and AONT are closely related with the fol- 
lowing crucial difference. In an ERF, the “secret” is a (pseudo) random value 
/( ). ERF allows one to represent this random secret in an “exposure-resilient” 
way by storing instead. In AONT, the secret is an arbitrary , which can 
be represented in an “exposure-resilient” way by storing ( ) instead. Thus, 
ERF allows one to represent a random secret in an exposure-resilient way, while 
AONT allows this for any secret. We remark that ERF’s can be much more 
efficient that AONT’s for the case of (pseudo) random secrets; for example, 
in the computational setting we can store the value that is shorter than the 
length of the actual secret /( ), which is impossible to achieve with AONT’s 
due to their invertibility. 



4 Exposure-Resilient Functions (ERF) 

In this section we give constructions and some applications of exposure-resilient 
functions (ERF’s). First, we describe perfect ERF’s and their limitations. Then, 
on our way to building computational ERF’s with very strong parameters, we 
build statistical ERF’s, achieving essentially the best possible parameters and 
surpassing the impossibility results for perfect ERF’s. Finally, we show how 
to combine this construction with standard pseudorandom generators to con- 
struct computational ERF’s (from n to k bits) based on any one-way function 
that achieve any i = f?(n*^) and any k = ol (n) (in fact, we show that such 




460 



Ran Canetti et al. 



ERF’S are equivalent to the existence of one-way functions). Our main results 
are summarized in the following theorem: 

Theorem 1. Assume i > n'^ (for some e> 0). Then 

1. There exist statistical ^-ERF ’s / : {0 1}” — > {0 1}^ with k = £ — o(£). 

2. If i k < ol (n), computational ^-ERF ’s / : {0 1}” ^ {0 1}^ exist iff 
one-way functions exist. 



4.1 Perfect ERF 

Here we require that ([ ]l /()) = ([ ]l )• Since the distributions are identical, 
this is equivalent to saying that no matter how one sets any {n — t) bits of (i.e. 
sets [ ]i), as long as the remaining bits are set at random, the output /( ) is 
still perfectly uniform over {0 1}^. This turns out to be exactly the notion of 
so called (n — tj-resilient functions considered in [6]. As an example, if fc = 1, 
exclusive OR of n input bits is a trivial perfect 1-ERF (or a (n — l)-resilient 
function) . 

We observe that perfect f-ERF can potentially exist only for £ > k. Opti- 
mistically, we might expect to indeed achieve £ = (fc). However, already for 

k = 2 Chor et al [6] show that we must have £ > n/3, i.e. at least third of the 
input should remain secret in order to get just 2 random bits! On the positive 
side, using binary linear error correcting codes (see [16]), one can construct the 
following perfect OERF. 

Theorem 2 ([6]). Let be a k x n matrix. Define /( ) = • , where G 

{0 1}”. Then f is perfect ^-ERF if and only if is the generator matrix for a 
code of distance > n — £-\-l. 

Applying it to any asymptotically good (i.e. n = (fc) and = £2(n)) linear 
code (e.g. the Justesen code), we can get £ = (1 — e)n, k = n, where e and 
are (very small) constants. 

Note that for any code, k < n— -1-1 (this is called the Singleton bound). Thus, 
we have fc < n — (n — ^ -I- 1) -I- 1 = ^, as expected. Also, it is known that < nf2 
for k > 21ogn. This implies that we are limited to have £ > n/2. However, at 
the expense of making n = ol (k), using a Reed-Solomon code concatenated 
with a Hadamard code, we can achieve £ = n — -I- 1 to be arbitrarily close to 

n/2, but can never cross it. 



4.2 Statistical ERF 

We saw that perfect ERF cannot achieve £ n/3. Breaking this barrier will 

be crucial in achieving the level of security we ultimately desire from (computa- 
tional) ERF’s. In this section, we show that by relaxing the requirement only 
slightly to allow negligible (in fact, exponentially smalt) statistical deviation, we 
are able to obtain ERF’s for essentially any value of £ (with respect to n) such 
that we obtain an output size k = f2{£) (in fact, even £ — o{£)). Note that this is 
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the best we can hope for (up to constant factors or even the lower order term), 
since it is not possible to have k > I for any ERF with statistical deviation 
e ^ (proof is obvious, and omitted). 

The key ingredient in our construction will be a combinatorial object called 
a strong extractor. An extractor is a family of hash functions Ti. such that when 
a function is chosen at random from 7i, and is applied to a random variable 
that has “enough randomness” in it, the resulting random variable = ( ) 

is statistically close to the uniform distribution. In other words, by investing 
enough true randomness (namely, the amount needed to select a random member 
of 7f), one can “extract” from a distribution statistically close to the uniform 
distribution. A strong extractor has an extra property that is close to the 
uniform distribution even when the random function is revealed. (Perhaps 
the best known example of a strong extractor is given in the Leftover Hash 
Lemma of [13], where standard 2-universal hash families are shown to be strong 
extractors.) Much work has been done in developing this area (e.g. [24,26,18]). 
In particular, it turns out that one can extract almost all the randomness in 
by investing very few truly random bits (i.e. having small Ti.). 

The intuition behind our construction is as follows. Notice that after the ad- 
versary observes (n — t) bits of the input (no matter how it chose those bits), 
the input can still be any of the 2^ completions of the input with equal probabil- 
ity. In other words, conditioned on any observation made by the adversary, the 
probability of any particular string being the input is at most 2“^. Thus, if we 
apply a sufficiently good extractor to the input, we have a chance to extract f2{t) 
bits statistically close to uniform — exactly what we need. The problem is that 
we need some small amount of true randomness to select the hash function in 
the extractor family. However, if this randomness is small enough (say, at most 
bits), we can take it from the input itself ! Hence, we view the first i/2 bits 
of (which we will call u) as the randomness used to select the hash function 
, and the rest of we call v. The output of our function will be (v). Then 
observing {n — i) bits of leaves at least 2^/^ equally likely possible values of v 
(since |u| = i/2). Now, provided our extractor is good enough, we indeed obtain 
Q{i) bits statistically close to uniform. 

A few important remarks are in place before we give precise parameters. 
First, the adversary may choose to learn the entire u (i.e. it knows ). This is 
not a problem since we are using a strong extractor, i.e. the output is random 
even if one knows the true randomness used. Secondly, unlike the perfect ERF 
setting, where it was equivalent to let the adversary set (n — i) input bits in any 
manner it wants, here the entire input (including u) must be chosen uniformly 
at random (and then possibly observed by the adversary). 

Our most important requirement is that the hash function in the strong 
extractor family be describable by a very short random string. This requirement 
is met by the strong extractor of Srinivasan and Zuckerman [24] using the hash 
families of Naor and Naor [17] . Their results can be summarized as follows: 

Lemma 1 ([24]). For any i and t i/2, there exists a family Ti. of hash func- 
tions mapping {0 1}” to a range {0 1}^, where k = i—2t, such that the following 
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holds: A random member ofH can he described by and efficiently computed us- 
ing 4(^ — t) + (logn) truly random bits (we will identify the hash function 
with these random hits). Furthermore, for any distribution on {0 1}” such 
that Pr [ = ] < 2“^ for all G {0 1}”, we have that the statistical difference 

between the following two distributions is at most e = 2 ■ 2~*: 

(A) Choose uniformly from H and according to . Output { ( )). 

(B) Choose uniformly from 7i and uniformly from {0 1}^. Output { ). 

We are now ready to describe our statistical construction. 

Theorem 3. There exist statistical ^-ERF / : {0 1}" — > {0 1}^ with k = 0{t) 
and statistical deviation for any I and n satisfying w(logn) < £ < n. 



Proof: Note that we will not optimize constant factors in this proof. Let £' = £/5 
and t = ^/20. We let the output size of our ERF he k = £' — 2t = l/lh and the 
statistical deviation be e = 2 • 2“* = Suppose the (random) input to our 

function is . Now, we will consider the first = 4(^' — t) + (logn) 4^/5 bits 
of to be (here we use i = w(logn)), which describes some hash function in 
TL mapping {0 1}” to {0 1}^ as given in Lemma 1. Let ' be with the first 
bits replaced by O’s. Note that ' is independent of , and the length of ' is n. 
Define /( ) = ( ')• 

We now analyze this function. Observe that for any L G {^}, conditioned on 
the values of both [ ]p and , there are still at least i/h bit positions (among 
the last n — bit positions) of that are unspecified. Hence, for all L G {J\, for 
all G {0 and for all G {0 1}”, we have that 



Pr 



/ 



L []l = 



< = 2 “'^'. 



r 



Thus, by Lemma 1, we have that ([ ]i /( )) = ([ ]i ( ')) -£ ([ \l 

where is the uniform distribution on {0 1}^. This implies ([ /( 

([ ]l completing the proof. 

We make a few remarks about the security of this construction: 



)) 



), 

■j 

-€ 

□ 



Remark 6. Note that, in particular, we can choose £ to be anything super- 
logarithmic is n (e.g., for any e > 0), providing excellent security against 
partial key exposure. Seen another way, we can choose n to be essentially any 
size larger than £. 



Remark 7. The output size of our construction can be substantially improved by 
using recent strong extractors of [18]. In particular, we can achieve k = £ — o(£), 
provided £ = w(log^ n), or k = (1 — )£ (for any > 0), provided £ = w(log^ n). 
In both cases the statistical deviation can be made exponentially small in £. As 
k must be less than £, this is essentially optimal. 
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4.3 Computational ERF 

The only limiting factor of the statistical construction is that the output size is 
limitted to k £. By finally relaxing our requirement to computational security, 
we are able to achieve an arbitrary output size, by using a pseudorandom gen- 
erator (PRG) as the final outermost layer of our construction. We also show 
that any ERF with k > £ implies the existence of PRG’s (and thus, one-way 
functions), closing the loop. The proof of the following is straightforward, and 
therefore omitted: 

Lemma 2. Let m n = ol (fc), / : {0 1}” — > {0 1}^ he a statistical ^-ERF 
(with negligible e) and : {0 1}^ ^ {0 1}™ he a PRG. Then : {0 1}” ^ 

{0 1}'" mapping (/( )) is a computational ^-ERF. 

Theorem 4. Assume one-way functions exist. Then for any I, any n = ol (£) 
and k = ol (n), there exists a eomputational l-'EiRF mapping {0 1}” to {0 1} . 

Proof: Since k = ol (£), one-way functions imply [12] the existence of a PRG 
: {0 ^ {0 1}^. Theorem 3 implies the existence of a statistical £- 

ERF / from {0 1}” to {0 with negligible statistical deviation By 

Lemma 2, ( ) = (/( )) is the desired computational f-ERF. □ 

Lemma 3. If there exists an f-ERF / mapping {0 1}” to {0 1}^, for k > £ 
(for infinitely many different values of £ n k), then one-way functions exist. 

Proof: The hypothesis implies the existence of the ensemble of distributions = 
([ ]l /( )) and B = {[ ]i )) where is uniform on {0 1}^. By assumption, 
and B are computationally indistinguishable ensembles. Note that can have 
at most n bits of entropy (since the only source of randomness is ), while B 
has n — £-\-k>n-\-l bits of entropy. Thus, the statistical difference between 
and B is at least 1/2. By the result of Goldreich [10], the existence of a pair 
of efficiently samplable distributions that are computationally indistinguishable 
but statistically far apart, implies the existence of pseudorandom generators, 
and hence one-way functions. □ 

Theorem 1 now follows from Remark 7, Theorem 4 and Lemma 3. 

4.4 Applications of ERF 

As we said, f-ERF / : {0 1}” ^ {0 1}^ allows one to represent a random secret 
in an “exposure-resilient” way. In Section 5 we show how to construct AONT’s 
using ERF’s. Here we give some other applications. 

As an immediate application, especially when fc > n, it allows us to obtain 
a much stronger form of pseudorandom generator, which not only stretches n 
bits to k bits, but remains pseudorandom when any (n — £) bits of the seed 
are revealed. As a natural extension of the above application, we can apply it 
to private-key cryptography. A classical one-time private-key encryption scheme 
over {0 1}^ chooses a random shared secret key G {0 1}” and encrypts G 
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{0 1}^ by the pseudorandom “one-time pad” ( ) (where is a PRG), i.e. 

( ; ) = 0 ( ). We can make it resilient to the partial key exposure by 

replacing PRG with ERF /. 

For the next applications, we assume for convenience that ERF / : {0 1}^ ^ 
{0 1}^ is length-preserving. Using such /, we show how to obtain exposure- 
resilient form of a pseudorandom function family (PRF) [11]. Let iF = { s \ 
s G {0 1}^} be a regular PRF family. Defining ^ = ^( 5 ), we get a new pseu- 

dorandom function family T = { ^ j s G {0 1 }^}, which remains pseudorandom 
even when all but ^ bits of the seed s are known. We apply this again to private- 
key cryptography. The classical private-key encryption scheme selects a random 
shared key s G {0 1}^ and encrypts by a pair ( © «( ) ), where is 

chosen at random. Again, replacing T by an exposure-resilient PRF, we obtain 
resilience against partial key exposure. Here our secret key is s G {0 1}^, but 
/(s) is used as an index to a regular PRF. 

In fact, we can achieve security even against what we call the gradual key 
exposure problem in the setting with shared random keys. Namely, consider a 
situation where the adversary is able to learn more and more bits of the secret key 
over time. We do not place any upper bound on the amount of information the 
adversary learns, but instead assume only that the rate at which the adversary 
can gain information is bounded. For example, suppose that every week the 
adversary somehow learns at most bits of our secret . We know that as long as 
the adversary misses £ bits of , the system is secure^ . To avoid ever changing the 
secret key, both parties periodically (say, with period slightly less than {k — £)/ 
weeks) update their key by setting new = /( old)- Since at the time of each 
update the adversary missed at least £ bits of our current key , the value /( ) is 
still pseudorandom, and thus secure. Hence, parties agree on the secret key only 
once, even if the adversary continuously learns more and more of the (current) 
secret! 



5 All-or-Nothing Transform (AONT) 

As we pointed out, no AONT constructions with analysis outside the random 
oracle model were known. We give several such constructions. One of our con- 
structions implies that for the interesting settings of parameters, the existence of 
UAONT’s, AERF’s and one-way functions are equivalent. The other construc- 
tion can be viewed as the special case of the OAEP construction of Bellare and 
Rogaway [2]. Thus, our result can be viewed as the first step towards abstracting 
the properties of the random oracle that suffice for this construction to work. 
Finally, we give a “worst-case/ average-case” reduction for AONT’s that shows 
it suffices to design AONT’s that are secure only for random 0 i- 



® We assume that our ERF is secure against adaptive key exposure, but our construc- 
tion achieves this. 
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5.1 Simple Construction Using ERF 

We view the process of creating ^-AONT as that of one-time private-key encryp- 
tion, similarly to the application in Section 4.4. Namely, we look at the simplest 
possible one-time private-key encryption scheme — the one-time pad, which is 
unconditionally secure. Here the secret key is a random string of length k, and 
the encryption of € {0 1}^ is just © . We simply replace by /( ) where / 
is AERF and is our new secret. Thus, we obtain the following theorem, whose 
proof is omitted due to space constraints: 

Theorem 5. Let f : {0 1}” ^ {0 1}^ be computational (statistical, perfect) 
^-ERF. Define : {0 1}^ — > {0 1}” x {0 1}^ (that uses n random hits ) as 
follows: ( ; ) = ( /( ) © )• Then is computational (statistical, perfect) 

^-AONT with secret part and public part /( ) © • 

Notice that the size of the secret part s = n and size of the public part = k. 
As an immediate corollary of Theorems 1 and 5, we have: 

Theorem 6. Assume £ < s < ol {£). There exist functions : {0 1}^ — > 

{0 1}^ X {0 1}^ (with secret output of length s and public output of length k) 
such that 

1. is statistical ^-AONT with k = £ — o{£), or 

2. is computational £-AO~NT with £ k< ol (s). 

For example, we could set £= s'^ to have excellent exposure-resilience. The 
computational construction also allows us to have essentially any input size k 
we want (as long as it is polynomial in s), and have the total output size = s+fc 
be dominated by k, which is close to optimal. A reasonable setting seems to be 
s = o{k) (i.e., just slightly smaller than k) and £ = s*^. 

Remark 8. Observe that any AAONT with public and secret outputs of length 
and s, respectively, also gives a secret-only ^'-AONT with output size = s + 
and £' = £-{- (since if the adversary misses £-\- bits of the output, it must miss 
at least £ bits of the secret output). Applying this to our construction (where 
= k), we see that £' = £ -\- k and we can achieve essentially any > £' . In 
particular, we can still have excellent exposure-resilience £' = but now the 
output size = {£'Y^’^ > k^^^ is large compared to the input length k. See 
Section 5.3 for a possible solution to this problem. We also notice that we can 
have £' = 2fc+o(fc) = (fc) (and essentially any ) even in the statistical setting. 



Remark 9. Consider an AAONT with public output of size and secret output 
of size s. We can interpret this as being a kind of “gap” computational secret 
sharing scheme [15]. For some secret , we apply the AONT to obtain a secret 
output 1 and public output 2 - Here, we think of 2 as being a public share 
that is unprotected. We interpret the bits of 2 as being tiny shares that are 
only 1 bit long, with one share given to each of s parties. We are guaranteed 
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that if all the players cooperate, by the invertability of the AONT, they can 
recover the secret . On the other hand, if s — ^ or fewer of the players collude, 
they gain no computational information about the secret whatsoever. We call 
this a “gap” secret sharing scheme because there is a gap between the number of 
players needed to reconstruct the secret and the number of players that cannot 
gain any information. Note that such a gap is unavoidable when the shares are 
smaller than the security parameter. Using our constructions, we can obtain such 
schemes for any value of i larger than the security parameter, and essentially 
any value of s larger than i (plus essentially any length k of the secret). 

5.2 AONT Implies OWFs 

Theorem 7. Assume we have a computational £- AONT : {0 1}^ — > {0 l}^x 
{0 1}^ where i k—1. Then one-way functions exist. 

Proof: To show that OWF’s exist it is sufficient to show that weak OWF’s 
exist [9]. Fix L = [£] C [s]. Define ( o i ) = ( o i [ ]l)> where = 
{ b', )• We claim that is a weak OWF. Assume not. Then there is an 

inverter such that when o i EH'e chosen at random, = ( h; ), 

= [ ]i. ( ') = (o 1 ), '= ( g; = [1 l, we have Pr( =')> |. 

To show that there exist o i breaking the indistinguishability property of 
, we construct a distinguisher for that has non-negligible advantage for 
random o i G {0 1}^. Hence, the job of is the following, o, i> > are 
chosen at random, and we set = { t', ), = [ ]l- Then is given the 

challenge together with o and i. Now, has to predict correctly with 
probability non-negligibly more than 1/2. We let run ( o i ) to get 

Now, sets ' = ( g; ~), '=[']£. If indeed ' = (i.e. succedeed), outputs 

as its guess, else it flips a coin. 

Let B be the event that succeeds inverting. From the way we set up the 
experiment, we know that Pr(i3) > |. Call the event that when o i are 

chosen at random, [ ( 6; )]l G [ ( i-®- there exists some ' such that 

[ ( i_h; ')]i = or ( 0 1 1 - ') ( 0 1 )• If does not happen 

and succeeded inverting, we know that = , as it is 1 — is an impossible 
answer. Thus, using Pr( A ) > Pr( ) — Pr( ), we get: 

Pr( = ) > - Pr(H) + Pr(H A ) > - Pr(H) + Pr(H) — Pr( ) 

= \+\Pr{B)-PT{ )>i+(^^-Pr( 

To get a contradiction, we show that Pr( ) < 2^“^, which is at most | | 

since £ fc — 1. To show this, observe that measures the probability of the 
event that when we choose ' at random and set = [ ( ; )]£, there is ' 

such that = [ ( '; ')]p. However, for any fixed setting of , there are only 2^ 

possible completions G {0 1 }^+p. And for each such completion , invertibility 
of implies that there could be at most one ' G ). Hence, for any setting 
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of , at most 2^ out of 2^ possible ' have a chance to have the corresponding 
' . Thus, Pr( ) < 2^“^ indeed. □ 

We note that the result is essentially optimal (up to the lower order term), 
since by Theorem 6 there are statistical AONT’s with i = k + o{k). In fact, 
merging the secret and public parts of such an ^-AONT (the latter having length 
k) gives a statistical secret-only ^'-AONT with £' = £-\- k = (k) still. 

5.3 Towards Secret-Only AONT 

We also give another construction of an AONT based on any length-preserving 
function / such that both [ '—*■/()] and [ '—*■/()©] are ERF’s. The 

construction has the advantage of achieving secret-only AONT’s, while retaining 
a relatively short output length. 

Recall that the OAEP construction of [2] sets ( ; ) = {u t), where u = 

( ) © , t = (u) © , and : {0 1}” — > {0 1}^ and : {0 1}^ ^ 

{0 1}” are some functions (e.g., random oracles). We analyze the following con- 
struction, which is a special case of the OAEP construction with n = k, and 
being the identity function. Let / : {0 1}^ ^ {0 1}^, define ( ; ) = 
(/( ) © (/( ) © ) © )i and note that the inverse is l{u t) = u (B f{u © t). 
Due to space limitations, we omit the proof of the following: 

Theorem 8. Assume f is such that both /( ) and (/( )© ) are length-preserving 
computational ^-ERFs. Then above is computational secret-only 2^-AONT. 

We note, that random oracle / clearly satisfies the conditions of the Theo- 
rem. Thus, our analysis makes a step towards abstracting the properties of the 
random oracle needed to make the OAEP work as an AONT. We believe that 
the assumption of the theorem is quite reasonable, even though leave open the 
question of constructing such / based on standard assumptions. 



5.4 Worst- Case /Average- Case Equivalence of AONT 

In the definition of AONT we require that Equation (2) holds for any O; i- 
This implies (and is equivalent) to saying that it holds if one is to choose o i 
according to any distribution ( o i)- A natural such distribution is the uni- 
form distribution, which selects random q i uniformly and independently from 
{0 1}^. We call an AONT secure against (possibly only) the uniform distribu- 
tion an average-case AONT.^ A natural question to ask is whether average-case 
AONT implies (regular) AONT with comparable parameters, which can be 
viewed as the worst-case/ average case equivalence. We show that up to a con- 
stant factor, the notions are indeed identical in the statistical or computational 
settings. Below we assume without loss of generality that our domain is a finite 
field (e.g. (2^)), so that addition and multiplication are defined. We omit the 

proof of the following due to space constraints: 

Note, for instance, the proof of Theorem 7 works for average-case AONT’s as well. 
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Lemma 4. Let : {0 1}^ ^ {0 1}^ x {0 1}^ he an average-case (statistical or 
computational) £-AONT . Then the following ' : {0 1}^ ^ {0 l}^^x{0 1}^^ zs 
a (statistical or computational) M-AO'^T , where i, 2 , are chosen uniformly 
at random subject to 1 + 2 0 (as part of the randomness of '): 

'() = (( 1) (2) 0 (( 1+ 2)- + )) 

In the above output, we separately concatenate secret and public outputs of . 
In particular, if is secret-only, then so is ' . 

6 Conclusions 

We have studied the problem of partial key exposure and related questions. We 
have proposed solutions to these problems based on new constructions of the 
All-Or-Nothing Transform in the standard model (without random oracles). 

The key ingredient in our approach is an interesting new primitive which 
we call an Exposure-Resilient Function. This primitive has natural applications 
in combatting key exposure, and we believe it is also interesting in its own 
right. We showed how to build essentially optimal ERF’s and AONT’s (in the 
computational setting, based on any one-way function) . We also explored many 
other interesting properties of ERF’s and AONT’s. 

Acknowledgements. We would like to thank Madhu Sudan for several helpful 
discussions. Much of this work was performed while all authors were at the IBM 
T.J. Watson Research Center. Amit Sahai’s research was also supported in part 
by a DOD NDSEG Fellowship. 

References 

1. M. Bellare, S. Miner. A Forward-Secure Digital Signature Scheme. In Proc. of 
Crypto, pp. 431-448, 1999. 

2. M. Bellare, P. Rogaway. Optimal Asymetric Encryption. In Proc. of EuroCrypt, 
pp. 92-111, 1995. 

3. G. Blackley. Safeguarding Cryptographic Keys. In Proc. of AFIPS 1979 National 
Computer Conference, 1979. 

4. V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. 
In Proc. of Crypto, pp. 503-518, 1999. 

5. R. Canetti, O. Goldreich and S. Halevi. The Random-Oracle Model, Revisited. In 
Proc. ofSTOC, pp. 209-218, 1998. 

6. B. Chor, J. Friedman, O. Goldreich, J. Hastad, S. Rudich, R. Smolensky. The Bit 
Extraction Problem or t-resilient Functions. In Proc. of FOCS, pp. 396-407, 1985. 

7. W. Diffie, P. van Oorschot and M. Wiener. Authentication and authenticated key 
exchanges. Designs, Codes and Cryptography, 2:107-125, 1992. 

8. A. Dornan. New Viruses Search For Strong Encryption Keys. In PlanetIT Systems 
Management News, March, 1999, 

http : //www . planet it . com/ techcenters/docs/ systems_management/news/PIT19990317S0015 . 

9. O. Goldreich. Foundations of Cryptography (Fragments of a Book). Available at 
http : //www. wisdom. weizmann. ac . il/home/oded/public_html/frag .html 




Exposure-Resilient Functions and All-or-Nothing Transforms 469 



10. O. Goldreich. A Note on Computational Indistinguishability. In IPL, 34:277-281, 
1990. 

11. O. Goldreich, S. Goldwasser and S. Micali. How to construct random functions. 
Journal of the ACM, 33(4):210-217, 1986. 

12. J. Hastad, R. Impagliazzo, L. Levin, M. Luby. A Pseudorandom generator from 
any one-way function. In Proc. of STOC, 1989. 

13. R. Impagliazzo, L. Levin, M. Luby. Pseudorandom Generation from one-way func- 
tions. In Proc. of STOC, pp. 12-24, 1989. 

14. M. Jakobsson, J. Stern, M. Yung. Scramble All, Encrypt Small. In Proc. of Fast 
Software Encryption, pp. 95-111, 1999. 

15. H. Krawczyk. Secret Sharing Made Short. In Proc. of Crypto, pp. 136-146, 1993. 

16. F. MacWilliams, J. Sloane. Theory of Error-Correcting Codes, Amsterdam, 1981. 

17. J. Naor, M. Naor. Small-Bias Probability Spaces: Efficient Constructions and 
Applications. In SIAM J. Computing, 22(4):838-856, 1993. 

18. R. Raz, O. Reingold, S. Vadhan. Error Reduction for Extractors. In Proc. of 
FOGS, pp. 191-201, 1999. 

19. R. Rivest. All-or-Nothing Encryption and the Package Transform. In Fast Software 
Encryption, LNCS, 1267:210-218, 1997. 

20. A. Shamir. How to share a secret. In Communic. of the ACM, 22:612-613, 1979. 

21. A. Shamir, N. van Someren. Playing “hide and seek” with stored keys. In Proc. 
of Financial Cryptography, 1999. 

22. S. U. Shin, K. H. Rhee. Hash functions and the MAC using all-or-nothing property. 
In Proc. of Public Key Cryptography, LNCS, 1560:263-275, 1999. 

23. N. van Someren. How not to authenticate code. Crypto’98 Rump Session, Santa 
Barbara, 1998. 

24. A. Srinivasan, D. Zuckerman. Computing with Very Weak Random Sources. In 
Proc. of FOGS, pp. 264-275, 1994. 

25. D. Stinson. Something About All or Nothing (Transforms). Available from 
http : / / cacr .math.uwaterloo . ca/~dstinson/papers/AON . ps, 1999. 

26. L. Trevisan. Construction of Extractors Using PseudoRandom Generators. In 
Proc. of STOC, pp. 141-148, 1999. 




The Sum of PRPs Is a Secure PRF 



Stefan Lucks* 

Theoretische Informatik, Universitat Mannheim 
68131 Mannheim, Germany 
lucksSth . informatik . uni-mannheim . de 



Abstract. Given d independent pseudorandom permutations (PRPs) 
7Ti, ... , 7Td over {0,1}", it appears natural to define a pseudorandom 
function (PRF) by adding (or XORing) the permutation results: 
SUM‘*(a;) = 7Ti (*)©••• © TTd{x). This paper investigates the security of 
SUM^* and also considers a variant that only uses one single PRP over 
{0,1}". 



1 Introduction 

Cryptography requires an encryption function to be invertible: Someone know- 
ing the (secret) key must be able to recover the plaintext from the cipher- 
text. Accordingly, under a fixed key, a n-bit block cipher is a permutation 
7t: {0,1}” ^{0,1}”. The classical security requirement is that tt must behave 
pseudorandomly, i.e. must be un-distinguishable from a random permutation 
over {0, 1}” without knowing the secret key. 

In practice, block ciphers are used in many different modes of operations, and 
not all of them need an invertible cipher. Sometimes, being invertible can even 
hinder the security of schemes using the cipher. One such example is the “cipher 
block chaining” (CBC) mode, a standard mode of operation for block ciphers: 
if more than about 2”/^ blocks are encrypted, the ciphertext leaks information 
about the plaintext [2] . So why not simply use a dedicated pseudorandom func- 
tion (PRF) instead of a pseudorandom permutation (PRP) in such cases? Two 
reasons are: 

— Applications may need both invertible ciphers and schemes where the cipher 
better would not be invertible. Double-using one primitive to implement both 
is less expensive in terms of memory or chip space. 

— There exist quite a lot of “proven” block ciphers, i.e., block ciphers published 
years ago, intensively cryptanalysed and widely trusted today. There are not 
as many good candidates for dedicated PRFs. 

Hence, instead of constructing pseudorandom functions from scratch, we con- 
sider creating them using pseudorandom permutations as underlying building 
blocks. Recently, the question of how to do this has caught the attention of the 

* Supported by DFG grant Kr 1521/3-1. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 470-484, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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cryptographic community [5,7]. Let tti, ... , Wd denote random permutations 
over {0, 1}” and 0 the bit-wise XOR. Bellare, Krovetz and Rogaway [5] point 
out that the construction SUM^(a;) = 7Ti(a;) 0 tt 2 {x) has not (yet) been analysed. 
In the current paper, we generalise this and analyse SUM*^ : {0, 1}” ^ {0, 1}" 
with SUM‘^(a;) = 7 Ti(x) 0 • • • 0 nd{x). 

Organisation of this Paper: 

Section 2 and Section 3 present the notation and the basic definitions we use in 
this paper and describe some previous research. Section 4 describes the security 
of the PRF SUM'^(a;) = 7Td(a;). In the following section, we analyse the 

variant TWIN‘S : {0, —j. {Q, 1}" with TWiN‘^(a;) = Tr{dx)(B- ■ •07r(c?a;0 

d— 1). Section 6 provides some comments and conclusions. For better tangibility, 
the appendix considers the two-dimensional special case SUM^ . 

2 Preliminaries 

We write for the set of all functions {0, 1}™ ^ {0, 1}” and F„ = F„_„. For 
choosing a random value x, uniformly distributed in a set M, we write x Gp M . 
A random function 4) e Fm,n is a function 4’ Fm,n- If is the set of all 
permutations in F„, a random permutation over {0, 1}” is a function tt Gp Sn- 
To measure the “pseudorandomness” of a function / G Fm_„, chosen “some- 
how randomly” but in general not uniformly distributed, we consider an adver- 
sary A trying to distinguish between / and a random function R Gp Fm,n- A has 
access to an oracle Q. A chooses inputs x G {0, 1}”; Q responds Q(x) G {0, 1}”. 
Q either simulates R Gp F^.n, or /. A’s output is A(Q) G {0, 1}. We view A 
as a probabilistic algorithm, hence the output A(Q) is a random variable over 
{0, 1}. A(Q) depends on the random choice of / and the internal coin flips of A 
and Q. We evaluate the (unsigned) difference of the probabilities pr[A(Q) = 1] 
for Q = R and Q = f, i.e. A’s “PRF advantage” Adv^y with respect to /: 

Adv^;; = |pr[A(R) = l]-pr[A(/) = l]|. 

A’s “PRP advantage” Adv]^®™ is defined similarly. Here, the oracle Q simulates 
a random permutation P Gp S'n and tt G Sn- 

AdvZ" = |pr[A(P) = 1] - pr[A(7T) = 1]|. 



Definition 1. A function f G F^.n is a {q,a)-secure PRF, if all adversaries 
A asking at most q oracle queries are restricted to Adv^y < a. Similarly, we 
define a {q, a)-secure PRP tt: Adv]^®™ < a. 

Note that “ideal” schemes are (oo, 0)-secure: a random function is a (oo, 0)-secure 
PRF, and a random permutation is a (oo, 0)-secure PRP. 

The notion of “(g, a)-security” is very strong, since the adversaries’ running 
time is not limited. By simply searching the key-space, one could easily dis- 
tinguish a block cipher from a random permutation. We claim that one can 
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approximatively describe a practically secure block cipher under a random key 
as an (oo, 0)-secure PRP, see Section 6.1. 

We interchangeably view 6-bit strings s = {st-i, . . . , sq) G {Oj 1}^ as 6-bit 
numbers s = J2o<i<b Si * 2b 

3 Previous Work 

3.1 Using a PRP as PRF 

It is widely known that a random permutation over {0, 1}” is a {q, (7^/2”)-secure 
PRF. Since it nicely fits to our later results, we formalise this here: 

Theorem 1. The random permutation tt S F„ is a (g, a)-secure PRF with a = 
^2^2"+!. An adversary A* exists to distinguish tt from a random function with 
an advantage o/Adv^".„. = 6*((7^/2”). 

Proof: [Sketch] If by chance a random function R behaves like a permutation, 
i.e., for all q pairs (xi, i?(a;i)) no collision R{xi) = R{xj) with Xi yf Xj occurs, 
then no adversary can distinguish between R and a random permutation. On 
the other hand, any collision proves that R is no permutation. With q inputs, 
the probability to get a collision is . □ 

Theorem 1 justifies to use a block cipher (i.e. a PRP) as a PRF - if the 
famous birthday hound q 2”/^ is observed. What about q > 2”/^? Note that 
the function /® with f®{x) = tt{x) 0 a; is unlikely to be invertible, but is not a 
better PRF since 7r(a;) = f®{x) 0 x [7,5]. 

3.2 Using Simple Operations and PRFs as Bnilding Blocks 

Much research dealt with constructing complex cryptographic operations from 
(seemingly) simple ones: Levin [8] constructed “pseudorandom bit generators” 
from “one-way functions”, Goldreich, Goldwasser, and Micali [6] constructed 
PRFs from “pseudorandom bit generators”, and Luby and Rackoff [9] con- 
structed PRPs from PRFs. A lot of work has been done on improvements of 
the Luby-Rackoff construction, some recent examples are [10,11,12]. Now we are 
going into the opposite direction: We construct PRFs from PRPs. 

Another direction of cryptographic research was how to construct PRFs from 
smaller PRFs. Aiello and Venkatesan [1] presented a construction for PRFs over 
{0, 1}^” using PRFs over {0, 1}” as building blocks. 



3.3 Constructing a PRF from PRPs 

“Data dependent re-keying” was proposed by Bellare, Krovetz, and Rogaway 
[5]. Here, a block cipher E with fc-bit keys is a family of 2^ independent random 
permutations. Set j := [fc/n]. For keys Ki, ... , Kj G {0,1}^, the function 
maps X G {0, 1}” to (a:) G {0, 1}” by the following algorithm: 
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K' ■= Eki{x)\\- ■ ■WEKjix)] (* Concatenate the values (®). *) 

K" := K' mod 2^; (* We only need k of nj > k bits. *) 

Ek"{x); (* Use the derived key K to encrypt the input. *) 

In a formal model, data dependent re-keying is provably more secure than simply 
using one PRP as a PRF [5] . The model is based on the adversary having access 
to the block cipher E by asking additional oracle queries: choose keys K G {0,1}^ 
and texts T G {0, 1}” and ask the oracle for Ek{T) and E~^{T). [5, Theorem 5.2] 
indicates that Xj i® ^ a)-secure PRF with a « 0 if t <C min{2^^/®, 2”} 

and q <C min{2^^/®, A variation of this scheme speeds up counter mode 

encryption: For a small constant d, the same K” is used for 2'^ steps. 

Hall et. al. [7] examine two constructions. Let d G {0, ... ,n} and tt be a 
PRP over {0, 1}”. The “truncate” construction is defined by : {0, 1}” — > 
{0,1}”“'^ by fl'^{x) = 7 r(a;) div2‘^. The PRF is provably secure if g <C 
min{2("+‘^)/2, 22 ("-<i)/ 3 } [ 7 ]^ i.e. if g < 24"/7 for d « n/7. 

Given d G {0,... ,n} and a PRP tt over {0,1}”, the order construction 
realizes a PRF : (0, 1 }"-'^ ^ S 2 d. Here, S 2 d denotes the set of permutations 
over 2'^ elements. The function maps x G (0, 1 }"-'^ to G S 21 by 

sorting the 2'^ values 7 t (0 • • • 000||a;), 7 t (0 • • • 001||a;), ..., 7 t (1 • • • lll||a;).^ The 
order construction provably preserves the full security of tt: if tt is a ( 00 , 0 )- 
secure PRP, then is a ( 00 , 0)-secure PRF. On the other hand, the order 
construction is quite slow, since computing /“'^(a;) takes 2'^ invocations of tt. 

Recently, Bellare and Impagliazzo [3] described a general probabilistic lemma 
to upper bound the advantage of an adversary in distinguishing between two 
families of functions.^ 

As an example for applying their general technique, they consider converting 
a PRP into a PRF. They analyse SUM^, the two-dimensional special case of 
the SUM'^-construction we consider in the current paper. They also apply their 
general technique to analyse two more PRP^PRF constructions: the twin^ 
variant of SUM^ (not using the name “twin^”), and the truncate construction 
from [7]. 

4 The Construction SUM'^(a;) = 0 f_i 77^(0;) 

Consider d> 1 permutations tti, . . . , tt^, we define SUM^* G F„ by 
SUM‘^(a;) = 7Ti(x) 0 • • • 0 7Td(x). 

In the appendix, we regard the the two-dimensional special case SUM^. The 
proof of Theorem 5 in the appendix is similar to the proof of Theorem 2 in this 

^ In fact, [7] deals with a function : {0, ^ {0, 1}^ Note that 2^ 

is the largest power of two dividing (2^*)! = |S 2 d| [7, Lemma Ij. Computing 
requires 2 ‘^ invocations of tt and 2 ^* — 1 comparisons. 

^ When the current paper was originally written, its author was unaware of [3]. An 
anonymous referee provided the reference. 
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section, but requires less technical details. It may be instructive for the reader to 
first skip to the appendix at page 482 and work through the proof of Theorem 
5, and then to continue with the current section. 

Theorem 2. For d > 1 random permutations tti, . . . , G F„ and q < jd 
is the function SUM*^ a {q, a)-secure PRF with 

a < i<^. 

0<i<q 



The proof of Theorem 2 requires some technical definitions and lemmas provided 
below. Set N := {0, 1}". 

Definition 2. The set T C N'^ is “fair” , if for every y G N 



{ {xi, ... ,Xd) GT\xi®---®Xd = y} 



|7V| 2" ■ 



If (a:i, . . . , Xd) Gr T, then y = a;i 0 • • • 0 is a uniformly distributed random 
value in N if and only if T is fair. To deal with sets that may be unfair, we also 
define a measurement of being “almost fair” . 

Definition 3. T C N'^ is “z-fair” .• 

— If a set V C exists with |y| = z and V HT = {}, such that VUT is fair. 
We call V a “completion set” (short: “c-set”) for T. 

— Or if a set U C T with \U\ = z exists (an “overhanging set” or “o-set”), 
such that T — U is fair. We also say: T is “z-overhanging-fair” . 



Lemma 1. 

(a) Consider the sets A C N“ and B C . If either A or B or both are fair, 
then Ax B C is fair, too. 

(b) If the two sets B Q AC N'^ are fair, then so is A — B. 

(c) If A is fair and B C A, then A — B is \B\-fair. 

(d) If the two sets A C N‘^ and B C N‘^ are fair and \A\ > \B\, then A — B = 
An B is \B — A\- overhanging- fair. 

Proof: The proofs of (a) and (c) are trivial. Regarding (b), note that A is 
fair: | { (a;i, . . . , Xd) G^|a;i0---0a;d = y}| = |4l|/2” for every y G 2”. 

Similarly: I { (a;i, . . . , Xd) G R I a;i 0 • • • 0 = y } I = |R|/2". Thus we get 

I { (xi, . . . ,Xd) G ^ I (xi, . . . ,Xd) ^ R and xi 0 • • • 0 Xd = y} I = |^-R|/2", 
hence A — B \s fair. 

To show (d), consider a fair set B* C A with \B*\ = \B\. B* contains the 
elements x G (AOB), and, for every (xi, . . . , Xd) G (AOB), the set B* contains 
a unique representative (yi , . . . , yd) G (g 1 n B) with xi 0 • • • 0 Xd = yi 0 • • • 0 yd- 
Note that such a set B* exists since \B\ = \B*\ < \A\ and both A and B are 
fair. By i? C B* , we denote the set of such representatives, I.e., |i?| = |^n B\. 
Since A — B* = {A — B) — R is fair, i.e., A — B is |i?| -overhanging-fair. □ 
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Lemma 2. Consider the sets T' C and T" C N. Let z” = 2” — |T"| 

(hence T" is z"-fair). Let T = T' x T” and |T| > z'z". Lf T' is z'-fair, then T 
is z' z" -fair. More exactly: 

(a) Lf V C N'^~^ with \V'\ = z' is a c-set for T' , then an o-set U C T for T 
exists with \U\ = z' z" . 

(b) Lf Lf C T' with \U'\ = z' is an o-set for T' , then a c-set V C N'^ of size 
|R| = z'z" exists for T. 

Proof: Note that V" = N - T" is a c-set for T" with \V''\ = z" . 

For (a), let V C with |y'| = z' be a c-set for T' . Due to Lemma 1(a), 

both sets T x (T" U V") and {T U V) x V" are fair, and 

T X T" = (r X (T" U V")) - ((r U V) X V") 

= {V X T") U {V X V”) - {{V X V”) U {V X V”)) 

= {V X T") - {V X V"). 

Since \T' x T”\ = \T\ > z'z” = |R' x V"\ and thus \T' x (T" U V")\ > \{T' U 

V') X V"\, we can apply Lemma 1(d) and conclude: T' x T" is \V' x R"|-fair, 

and |y' X y"| = z'z”. Also, an o-set of size |R' x R"| = z'z” exists for T' x T” . 

Regarding (b), consider the o-set W C T' with \Lf'\ = z' . As above, we argue 
that the sets T' x {T” U V) and {T' — U') x V” are fair, and 

(r X T”) U {V X V) 

= {V X (T" U V')) - {{V - U') X V) 

= {T' X T”) U (T' X V')- {{T' X V) - (U' X V')). 

Since {{V - U') x V) CT' x V C T' x {T” U V”), we can apply Lemma 1(b): 
the set {T' x T”) U {U' x V”) is fair. By Lemma 1(c) we find that T' x T” is 
\U' X y"|-fair. Especially, U' x V” is a c-set for T = T' x T”. □ 

Proof: [of Theorem 2] Our adversary asks q < 2”~^fd oracle queries. We write 
X\, . . . , Xq for the inputs chosen by the adversary and j/i, . . . , yq for the or- 
acle’s corresponding outputs. W.l. o.g., we assume Xi yf Xj for i yf j. Eval- 
uating SUM*^ on these inputs may be thought of as choosing q values nk{xi), 
. . . , TTk(xq) for every k G {1, . . . , d}. Since tt^ is a random permutation over 
{0, 1}”, the values nk{xi), . . . , nk{xq) are random values in N = {0, 1}”, except 

that 7Tk{xi) yf 7Tk{xj) for i yf j. We simply write iTkj for TTk{xj). Now, gener- 

ating the random values yi = S\JM'^{xi) may be thought of as choosing Gr 
N - {7Tfc,i, . . . , TTfcy-i} for fc G {1, . . . , d} and evaluating yi = tti,* 0 • • • 0 -Xd,i. 
We may as well regard this as choosing the d-tuple 7Ti_j, . . . , Gr Ti C 
where Ti is the set of all d-tuples still available, i.e., T\ = and C Tt, or 
exactly: 

= N<^ - ({7Ti,i,...,^i,i}x Ai‘^-1) 

- (A1 X {7T2,1, . . . ,7T2,i} X AP*“2) 

- (AP*“1 X {7Td,l, . . . ,7Tdy}) 

Note that |Ii+i| > 2*^” — (di * 2*^'^“^^”). We can simulate the generation of the 
values yj as follows: 
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For z := 1 to q: choose ti = , TTd,i) Gr Tz; 

output J/i = 7Tl,i 0 • • • 0 TTd,i- 



The sets Tz+i are z'^-fair: 

We set j := z 0 1 and show that if d is odd, a c-set Vj exists for Tj with 

\Vj \ = (j — l)*^, and, if d is even, an o-set Uj for Tj of size \Uj \ = (j — exists. 

We prove this by induction. If d = 1, = {yi , . . . , yj-i} is a c-set for Tj 

and \Vj \ = (j — 1)^. For d > 1, we split the d-tuples (zTj^i, . . . , TTj^d) G Tj up into 

a (d — l)-tuple (7Tj_i, . . . , TTj^d-i) G Tj C N'^~^ and a single value nj^d G T" = 

N — Vj' with Vj' = {TTd,i, ■ ■ ■ ,TTd,j-i}- We know that T" is (j — l)-fair. Note 
that j < q < 2"~^jd, hence |Tj| > (j — |T"| > j — 1, and, by induction, 

\Tj\ > {j — 1)“^. This will allow us to apply Lemma 2. 

Let d be even. Then d — 1 is odd. Assume that a c-set Vj for Tj exists of size 
|IG'| = (j — The claim follows from Lemma 2(a). 

Now, let d be odd. Assume that Tj is (j — l)‘^“^-fair, and that an o-set C/j C Tj 
exists with |C/j| = (j — l)*^. The claim follows from Lemma 2(b). 

Choosing the d-tuples {nij, . . . , ndj) from fair sets: 

Since we know that c-sets or o-sets of size (z — 1)*^ for Ti exist, we can simulate 
the generation of the yt as described in Figure 1. Either, d is odd and a c-set Vi 
for Ti exists, or d is even and an o-set Ui exists. 



Even d: 

Set bad := 0; 
for z := 1 to q: 

determine Ti and Ui\ 
choose ti = (7Ti,i, . . . ,7rd,i) Gr Tz; 
if ti e Ui then 
bad := 1; 

output yi := nij © • • • © Tid,i', 
output bad. 



Odd d: 

Set bad := 0; 
for z := 1 to q: 

determine T and E; Si := TU Vi’, 
choose ti = (zTi^i, . . . , TVd,i) Gr Sz; 
if ti ^ Ti then 
bad := 1; 

choose ti = (7Ti,z, . . . ,zr<i,z) Gr Tz; 
output yi := 7Tl,z © • • • © 7Td,z; 
output bad. 



Fig. 1. Two simulations for the PRF SUM*^ 



When the output yi := tti^z 0 • • • 0 iTdj is generated, the d-tuple ti = 
(tti^z, . . . ,TTd,i) is a uniformly distributed random value U Gr Ti. The simula- 
tion generates an additional value bad G {0, 1}. If bad = 0, all ti are uniformly 
distributed random d-tuples chosen from fair sets, and thus yi Gr N . Thus, the 
advantage of every adversary is at most pr[bad = 1]. 
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Evaluating pr[bad = 1]: 

The simulation in Figure 1 outputs bad = 1 if and only if the then-clause is 
executed at least once, i.e., pr[bad = 1] < X)i<i <9 P'^[then]. We get 

an 1 _ / (» - for even ^ (z - 

pr[then] - | _ i)<i/(|Ti| + (i - l)<i) for odd d / - \T,\ 

Since |Ti+i| > - {di * and z < g < 2"-Vd, |Ti+i| > 2<^" - 2‘^"-i = 

2<in-l 

\Ti\ - 2<^"-i 



pr[bad = 1] < ^ pr[then] < ^ ^ 



l<i<q 



l<i<q 



0<i<q 



Hence a < pr[bad = 1] < 2 ^o<i<q 

Note that = 6*(z‘^+^), hence Adv^"u„d < 6*((7'*+^/2”‘^). Depending on 

d, we provide some examples. For every adversary A, we get: 



d=l: W 

0-0 



Adv^“ < 



0<i<q 



d= 2 : ^ z^ = 



0<i<q 



2q^ -3q‘^ + q ^ 9 ^ , a , Fun ^ T’ 

6 - 3 v^,sum 2 < 3 ^ 22n-l 



J o -3 9 (9 — 1) ^ 9 ^ j Fun ^9 

a = 3: > z = : < -r Adv 4 „,.,3 < 

2-^ A ~ A 



0<i<q 



M,sum 3 ^ 23^+1 ' 



(2) 

(3) 

(4) 



In general, SUM*^ is secure against adversaries asking q <C queries. If a 

pessimistic estimate of q gives a value q 2”, we can choose d accordingly. In 
practice, d will be small, e.g., d < 10. 



5 The Construction TWIN'^(a;) = '^{dx + i) 

The SUM'^-construction requires d independent PRPs tti, . . . , nd- We may use 
one block cipher running under d different keys to implement the tt^. Depending 
on our choice of block cipher and on hardware limitations, frequently changing 
between encryption under d different keys may be costly, though. Can we con- 
struct a secure PRF using a single PRP tt over {0, 1}? Consider the function 
TWIN‘S : {0, l}"-riog2(<i)l ^ {0, 1}": 

TWiN‘^(a;) = 7r(dx) 0 • • • 0 ir^dx + d — 1). 

(Recall that we interchangeably view 6-bit strings s G {0, 1}^ as numbers s G 
{0 , . . . , 2'’- 1}. Thus, a; € {0, l}"-ri°S2(<i)l represents a number a; < (2"-'°S2(<i) _ 
1) = 2”/d — 1, the product dx is at most 2” — d, and hence da;0d— 1<2” — 1 
can be written as an zz-bit string.) 
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Theorem 3. For d > 1, a random permutation tt G F„ and 9 < 2” ^ /dF' is 
TWiN‘^(a;) = 0^=0 + i) a {q, a)-secure PRF with 

1 V 

0<i<q 

Proof: As in the proof of Theorem 2, the adversary asks q queries x\, . . . , Xq, 
w.l.o.g. Xi yf Xj for i yf j, and learns q responses yt = TWiN(a;i). We define 
TTdi-d+i = Tr{dxi), . . . , TTdi = n{dxi + d - 1), N = {0, 1}", and 

C* = { (si, . . . ,Sd) e :i^j^Si = sj }. 

Clearly, the d-tuples {iTdi-d+i, ■ ■ ■ , T^tu) are not in C*. Note that \C*\ = 2^'^“^^”* 
d{d— l)/2 < 2(‘^“^)”(i^/2. Similar to Equation (1), we define a set T* of the d- 
tuples still available: T* = T** — C*, T^* = N'^, and 

T**, = N<i- {{n,,... ,7Tdi}xN<i-^) 

- (TV X {tti, . . . ,7Tdi} X 

- X {tti, . . . ,7Tdi}). 

Note that > 2*^” — {d'^ *i* 2^'^“^^”). We simulate generating the yp. 

For z := 1 to y. choose (zr^j, . . . , 7 Tdi+d_i) Gr T* 
output 2 /i = TTdi 0 • • • 0 TTdi+d-l- 



The sets T*^-^ are (dz)'^-fair: 

Compare Equations (1) and (5). Set j := dz 0 1 and show the (j — l)Afairness 
of the sets T** as in the proof of Theorem 2. 

Choosing the d-tuples (iTdi, ■ ■ ■ , TTdi+d-i) from fair sets: 

The sets T** are (dz — d)-fair, i.e., c-sets or o-sets of size (dz — dY for T** exist. 
We argue as in the proof of Theorem 2: If d is odd, then a c-set Vi for Tf* exists. 
If d is even, an o-set Ui exists. Figure 2 describes the corresponding simulations. 

In addition to Figure 1, the simulation in Figure 2 takes care that F is in 
Tj*, not just in T**. If the last output is bad = 0, all d-tuples ti used to generate 
the yi are uniformly chosen values from fair sets T** — Ui or Vj U T**, hence 
a < pr[bad = 1 ]. 

Evaluating pr[bad = 1]: 

We get bad = 1 if and only if one of the two then-clauses is executed at least 
once. By Bl we denote the event that the then-clause marked by (*) is executed 
in round z, denotes the event that this clause is executed in any round 
z G { 1 , . . . , ( 7 }, i.e., pr[i3^] < YYi=i ■ For the then-clause marked by (**), we 
define the similar events Bf and B^. Thus pr[bad = 1] < pr[i?^] 0 pr[i?^]. We 
start with pr[i3^]: 



pYbI] = 



{di - dY 

~wr 



{di — dY/\TY\ for even d 

(dz - dY/{\T**\ 0 (dz - dY) for odd d 



< 
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Even d: 

Set bad := 0; 
for i := 1 to q: 

determine and Ui\ 

ti — (^'^di-d-i-1 ; • • • 5 '^di') ; 

if ti e Ui then (*) 
bad := 1; 

if t € C then (**) 

ue^Ti nc~-, 

output Pi := ndi-d+i © • • • © ndi', 
output bad. 



Odd d: 

Set bad := 0; 
for i := 1 to q: 

determine Ti and Vi\ 

ti — di-d-\-l ; • • • I'^di^ ^ p Ti U Vi , 

lit^Ti then (*) 

bad := 1 ; choose U Gp Ti ; 
if t G C then (**) 

tiGpTi n^; 

output Pi := ndi-d+i © • • • © ndi', 
output bad. 



Fig. 2. Two simulations for twin'^ 



Since \T**^\ > - {(f * i * and z < g < we get \T**^\ > 

2dn _ 2dn-i > and thus 



\Ti\ - 2<^"-i 



Pt[B^] < 



V 

/ ^ ^dn—l 
l<i<q 



1 

2^dn—l 



0<i<q 



Now we bound pr[i3^]. Since \T**\ > 2”*^ — {(P) * z * > 2*^” ^ for i < q < 

2"-Vrf2 and \C*\ < 2(‘^-i)" * P /2 we get 

\C*\ (P 

m\B^] < L < — = = — 

^ w[B^] < E ^ E 

hence a < pr[bad = 1] < 2“'^”+^ J2o<i<q + q * d^/2". □ 

Consider d G {1, 2, 3}. Based on Equations (2)-(4), we get 

d= 1: a< 9/2" + 9V2" 
d = 2 : a <49/2" + 93/(3*22"-!) 

d = 3: a < 99/2" + 94/23"+i. 

The X)o<i<9 *‘^)“term determines the maximum size of 9, at least if d is 

such small and for practically interesting n > 64. We conclude: for small d, the 
PRF-security of TWIN‘S is close to the PRF-security of SUM^*. 



6 Final Comments 

6.1 Practical Security 

We presented constructions for PRFs from permutations, and we proved our 
PRFs to be (9, a)-secure if the permutations are (00, 0)-secure (or “ideal”) PRPs. 
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In practice, our PRPs (i.e. block ciphers) are not ideal ones. What we actually 
are interested in is a close relationship between the derivation of the underlying 
permutations from being ideal (oo, 0)-secure PRPs, and the derivation of the 
constructed PRF from being (oo, 0)-secure. This is quite straightforward, and 
we exemplify this for the TWiN'^-construction: 

Theorem 4. Let q and a be ehosen such that TWIN‘S is {q, a)-secure in the ideal 
case. Let B be a {t, qd, S)-secure PRP. The function f : {0,1}”“!^'^^ ^ {0,1}” 
defined by 

f{x) = B{dx) 0 • • • 0 B{dx 0 d — 1) (6) 

is {t — qt' , q, a + S)-secure. Here, t' , denotes the time to evaluate Expression (6). 

Note that the function / is indeed an instantiation of the PRF TWIN‘S using 
the concrete (non-ideal) PRP B. 

Proof: [of Theorem 4] Assume an adversary A f running at most t — qt' units of 
time, asking for q values f{xi), . . . f{xq), achieves an advantage Adv^"y > a+S. 
We describe an adversary As for B, using Af as some kind of “subroutine” . The 
performance of Ab disproves the (t, qd, <5)-security of B. 

Whenever Af chooses X e (0, 1}” and asks for f{x), Ab asks for the 
values B{dx), . . . , B{dx + d — 1) and evaluates Expression (6). Ab uses the 
output-bit produced hy A f as its own output- bit. 

Running Ab requires the running time for A f plus the additional time qt' for 
q evaluations of (6), and q queries for the /-oracle are translated into dq queries 
for the R-oracle. Since TWIN‘S is (g, a)-secure in the ideal case, and since Af is 
assumed to achieve an advantage of more than a + S, the advantage of Ab in 
distinguishing between B and an ideal block cipher exceeds 5. □ 

Given an estimate of the number q of plaintext/ciphertext pairs the adversary 
can learn, and given the block size n, the security architect must decide on 
the size of the parameter d. Our analysis provides precise bounds (instead of 
asymptotic estimates) to help her making a reasonable decision. This kind of 
reasoning, the “concrete security analysis” , was initiated in [4] . 

6.2 Super Pseudorandom Permutations 

Luby and Rackoff [9] introduced a distinction between super PRPs and (ordi- 
nary) PRPs: For ordinary PRPs, the adversary may only choose values x and 
ask the oracle Q for Q(x). Such adversaries are “chosen plaintext” adversaries. 
On the other hand, super PRPs need to resist “combined chosen plaintext / 
chosen ciphertext” adversaries, i.e., adversaries also able to choose y and ask for 
Q~^(y). For our constructions we don’t need super PRPs - ordinary PRPs are 
sufficient. This makes our results all the more meaningful. 

6.3 Comparison and Conclusion 

This paper deals with the construction of PRFs from PRPs. We propose two 
constructions, SUM*^ : {0,1}” ^ {0,1}” and twin'^{ 0, l}”-r'°S2G)l ^ {0,1}”, 
based on PRPs over {0,1}”. 
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Our constructions preserve the security of the underlying PRP better than 
the truncate construction from [7] and are much more efficient than the order 
construction, also from [7]. 

The truncate construction from [7] is re-considered in [3], claiming an im- 
proved security analysis compared to [7]. Also, [3] deals with SUM^ and twin^ 
- the two-dimensional variants of the constructions we scrutinise here. In short, 
if the number q of oracle queries is g <C 2'^IO{n), both the SUM^ and the twin^ 
construction are claimed to be secure. (For twin^, a short sketch of proof is 
given.) Note that the results in claimed in [3] are significantly better than the 
results provided in the current paper. 

Now consider data dependent re-keying, (DDRK) [5]. If k is the key size of 
the underlying block cipher, the result on the security of DDRK [5, Theorem 
5.2] requires q <C In fact, that result depends on the assumption that 

exhaustively searching 2^^/® keys is infeasible. If, say, k = 80, the effective key- 
length guaranteed by the result is only 4*80 /5 bit = 64 bit. This is a disadvantage, 
compared to our schemes. (Note though: [5] conjecture that the bound on q can 
be improved to g <C 2^^^“*^).) Depending on which block cipher is used and 
on hardware constraints, the very frequent key changes needed for DDRK can 
constitute another disadvantage. 

For some applications, e.g. on low-end smartcards, even the effort to switch 
between only d fixed secret keys may be prohibitive. In this case, the TWIN‘S 
construction is superior to SUM*^, if a PRF with only n — |"log 2 (d)] input bits is 
acceptable. 
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Appendix: 

The 2-Dimensional Construction SUM^(ai) = cr(x) 0 t{x) 

To improve the tangibility of this paper, the abstract deals with a simple but 
non-trivial special case of SUM*^, the 2-dimensional variant 

SUM^(a;) = (t{x) 0 t{x), 

depending on two permutations <j, r{0, 1}” ^ {0, 1}”. Not surprisingly, SUM^ is 
not a (oo, 0)-secure PRF. In fact, collisions are too probable. E.g., the probability 
that the first two pseudorandom values yi and j /2 generated by using SUM^ to 
collide is too high: pr[j/i = j/ 2 ] > 2“”. To see this, consider simulating SUM^. 

Initially, there are 2^” pairs (s,t) G {0, 1}” to choose for ((r(a;i), r(a;i)). For 
every value y G {0, 1}”, there exist exactly 2” pairs (s, t) with <T(a;i)0r(a:i) = yi. 

Let xi^ x\. In the second step, a pair (s', t') = (a{x 2 ), t(x 2 )) is chosen with 
s' ^ s and t' yf t. There are 2”“’ values s' ^ s and as much values t' yf t, hence 
the number of such pairs is (2”“’)^. For every value s' yf s, exactly one value 
F yf t exists with s' 0 1' = s 0 1, and yi = j /2 if and only if s' 0 1' = s 0 1. Hence, 
exactly 2” — 1 of the (2”“’)^ possible pairs {s' ,t') induce j /2 = ?/ 2 , and thus 

2 ” — 1 1 

pr[yi = V 2 ] = _ ^^2 = 2 ^rrr- 

If SUM^ where an ideal random function, we had pr[j/i = j/ 2 ] = 2“”. But how 
good is the PRF SUM^ actually? 

Theorem 5. For random permutations <t, r G F„ and q < 2”“’, the function f 
with f{x) = SUM^(x) = a{x) 0 t{x) is a {q, a)-secure PRF with a = ( 7 ^/ 2 ^”“’. 



7 



Full version online: http://www.counterpane.com/publish-1998.html. 
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Proof: The set T C ({0, 1}”)^ is “fair”,® if for every value y € {0, 1}” 

|{ (cr*,T*) e T| (J* ©r* = y}| = 

The adversary A asks q < 2”“^ oracle queries xi, . . . , Xq, w.l.o. g. Xi yf xj 
for i yf j. We write yi, . . . , yq for the corresponding oracle responses. 

Consider evaluating SUM^ by choosing a pair (ai,Ti) = (cr(xi), T(xi)) and 
computing yi = Ui® Ti. If all (ai,Ti) where randomly chosen from a fair set and 
uniformly distributed, then the sums yi = Ui® ti would be uniformly distributed 
random values - un-distinguishable from the output of a random function. 

The remainder of this proof is organised as follows: 

1. We describe the sets Ti C ({0, 1}")^ the pairs {ai,Ti) are chosen from, and 

we specify fair subsets Ui C Ti with \Ui\ = |Tj| — {i — 1)^. 

2. We describe how to choose the pairs (ai,Ti) from the fair sets Ui, except 

when a “bad” event happens. 

3. We calculate the probability of the “bad” event. 

Let z yf j. Since a and r are permutations, ai yf aj and Ti yf tj. Thus, by 
choosing the pair (ai,Ti), all pairs (s,t) with s = ai or t = Ti are “consumed”, 
i.e., cannot be chosen for (aj,Tj). 

By Si, we denote the set of consumed pairs before the choice of (ai,Ti). By 
Ti = ({0, 1}")^ — Si, we denote the set of un-consumed pairs. Note that {Ti is 
fair) {Si is fair). Since = {}, both and Ti are fair and yi is a uniformly 
distributed random value. Given (<ti,ti), ... , {ak,Tk) we define Uk+i C Tk+i- 
Consider the following 2k fair sets of pairs: 

{(cti, r*) I T* e {0, 1}"}, . . . , {(cTfc, r*) | r* G {0, 1}"} 

and {((J*, Ti) I (j* G {0, 1}"}, . . . , {((j*, Tfc) I (j* G {0, 1}"}. 

is the union of the above 2k sets of pairs. If the above 2k sets were all 
disjoint, Sk+i would be fair. But actually, exactly k^ pairs are contained in two 
of the above sets, namely all pairs {ai, tj) with z, j G {1, . . . , k}. We arbitrarily 

choose unique representatives {a{,Tj) for {ai,Tj) with {a{,Tj) G T^+i and 

a{ © rj = a ■ © rj. We define Uk+i to be the set of all pairs in Tk+i except for 
the representatives {a{,Tj). Hence |17fc+i| = iTfe+il — By induction one can 
see that for every y G {0, 1}” the set Uk+i contains exactly 2” — 2k pairs {as, n) 
with as® Tt = y. Since k < q < 2"“^, it is possible run the simulation described 
in Figure 3, especially, a set Ui exists. 

The distribution of the values yi is as required for SUM^. The simulation 
generates an additional value “bad”. If bad = 0, each of the pairs {ai,Ti) is 



This notion of fairness is the two-dimensional special case of Definition 2. If T is fair 
and we choose {s, t) Gr T, the sum y = s©t is a uniformly distributed random value 
in {0,1}”. 
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Set bad := 0; 

for i := 1 to q: determine the sets Ti and Ui\ 
choose {(Ti,Ti) Gp Ti\ 
if ((Ti, Ti) ^ Ui then bad := 1 ; 
output yi = (Ti © Ti; 

output bad. 



Fig. 3. A simulation for the PRF SUM^ 



chosen from a fair set Ui, and the sums yt are un-distinguishable from the output 
of a random function. Thus Adv^y < pr[bad = 1] for every adversary A. Using 

pr[((Ji+i,ri+i) ^ C/i+i] (2 "-z)2’ 

we bound the probability pr[bad = 1 ]: 
pr[bad = 1 ] < 



Since (7 < 2” ^ 

pr[bad = 1 ] < ( 2 "- 1)-2 * (7) 

0<i<q 

By using J2o<i<q = («(9 “ 1)(29 “ l ))/6 < 2g^/6 we get 

prfbad = 1 ] < - — 7 - tk 

^ ^ “ 3 * (2" - g)2 

and hence pr[bad = 1 ] < ( 7 ^/ 2 ^”“^. □ 

Note that Theorem 5 provides a marginally better bound than Theorem 2 for 
d = 2. This is, because the Theorem 2 considers the general case (and because 
the current author tried to avoid overcrowding its proof with too many technical 
details). The general outline of the proofs of Theorems 2, 3, and 5 is quite similar. 



pr[{ai,Ti) ^Ui] = Y 

0<i<q 

.•2 



(2" - i)2 



E 

0<i<q 



( 2 " - ( 7)2 



= (2"-(7)-^* ^ z^. 

0<i<q 
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Abstract. This paper addresses the problem of obtaining new construc- 
tion methods for cryptographically significant Boolean functions. We 
show that for each positive integer m, there are infinitely many integers 
n (both odd and even), such that it is possible to construct n- variable, 
m-resilient functions having nonlinearity greater than 2"“^ — 2 ^. Also 
we obtain better results than all published works on the construction of 
n-variable, m-resilient functions, including cases where the constructed 
functions have the maximum possible algebraic degree n — m — 1. Next 
we modify the Patterson- Wiedemann functions to construct balanced 
Boolean functions on n- variables having nonlinearity strictly greater than 
2 — for all odd n > 15. In addition, we consider the properties 

strict avalanche criteria and propagation characteristics which are impor- 
tant for design of S-boxes in block ciphers and construct such functions 
with very high nonlinearity and algebraic degree. 



1 Introduction 

The following four factors are important in designing Boolean functions for 
stream cipher applications. 

Balancedness. An -variable Boolean function / is said to be balanced if t{f) = 
2”“^, where t(.) gives the Hamming weight and / is considered to be repre- 
sented by a binary string of length 2” . 

Nonlinearity. The nonlinearity of an -variable Boolean function /, denoted 
by (/), is the (Hamming) distance of / from the set of all -variable affine 
functions. We denote by ( ) the maximum possible nonlinearity of - 

variable functions. 

Algebraic Degree. An -variable Boolean function / can be represented as a 
multivariate polynomial over (2). This polynomial is called the Algebraic 
Normal Form (ANF) of /. The degree of this polynomial is called the algebraic 
degree or simply the degree of / and is denoted by (/). It is easy to see that 
the maximum algebraic degree of an -variable balanced function is — 1. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 485-506, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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Correlation Immunity. An -variable Boolean function /( „ . . . i) is said to 

be correlation immune (Cl) of order if o (/ = 1 | = i . . . = 

m) = o {f = 1), for any choice of distinct i\ . . . im from 1 . . . and 
1 . . . rn belong to {0 1}. A balanced -th order correlation immune function 
is called -resilient. Siegenthaler [16] proved a fundamental relation between the 
number of variables , degree and order of correlation immunity of a Boolean 

function : -b < • Moreover, if the function is balanced then -b < — 1. 

The set of all -variable Boolean functions is denoted by We denote by 
„( ) the set of all balanced -variable functions which are Cl of order 
By an ( ) function we mean an -variable, -resilient function having 

degree and nonlinearity . By an ( 0 ) function we mean an -variable, 

degree , balanced function with nonlinearity . 

A good Boolean function must possess a ’’good combination” of the above 
properties to be used in stream ciphers. Previous works to construct such good 
functions have proceeded in two ways. 

1. In the first approach the degree is ignored and the number of variables and 
correlation immunity are fixed. One then tries to get a function having as high 
nonlinearity as possible. This approach has been considered in [15,2] and we call 
this the — approach. 

2. The second approach considers the degree. However, by Siegenthaler’s in- 
equality, the maximum possible degree of an -variable, -resilient function is 

— — 1. Functions achieving this degree have been called optimized [7]. As in 

the first approach one then tries to get as high nonlinearity as possible for opti- 
mized functions. Design methods for this class of functions have been considered 
in [4,7,8,18] and we call this the — approach. 

Previous efforts at obtaining resilient functions have sometimes employed 
heuristic search techniques [4,8]. In certain cases these have provided better re- 
sults than constructive techniques [15,7]. The list of all such known cases are as 
follows : (a) (7 0 6 56), (9 0 7 240) and (9 2 6 224) functions from [4] and (b) 
(9 1 7 236), (10 1 8 480) and (11 1 9 976) functions from [8]. These examples 
are indicative of the inadequacies of the current constructive techniques. How- 
ever, heuristic searches cannot be conducted for moderate to large number of 
variables. 

Here we provide a systematic theory for the design of resilient functions. 
Our techniques are sharp enough to obtain general results which are better 
than all the examples mentioned above. Corresponding to the list given above 
we have (7 0 6 56), (9 0 8 240), (9 2 6 232), (9 1 7 240), (10 1 8 484) and 
(11 1 9 992) functions. Also we are able to prove some difficult results on the 
nonlinearity of resilient functions. Here for the first time we show that for each 
order of resiliency , there are infinitely many (both odd and even), such that 
it is possible to construct -variable, -resilient functions having nonlinearity 
greater than 2”“^ — 2 L 7 J. One consequence of this result is that it completely 
disproves the conjecture on nonlinearity made in [8]. We use our techniques to 
present design algorithms for optimized resilient functions and obtain superior 
results to all known work in this area (see Section 6 for details). The functions 
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constructed by our methods have a nice representation and though they have 
quite complicated algebraic normal forms they can be implemented efficiently in 
hardware. See [12] for details of the hardware implementation. 

Next we describe the other contributions of this paper. In Section 7, we use 
a randomized heuristic to construct for the first time balanced functions with 
nonlinearity greater than 2”“^ — for = 15 17 19 21 23 25 27. We use 
the functions provided in [9] as the basic input to our algorithm. Earlier these 
functions [9] were used to obtain balanced functions with nonlinearity greater 
than 2”“^ — 2 “ 2 “ only for odd > 29 [14]. Also the functions we construct 
posses maximum algebraic degree ( — 1). 

S-boxes can be viewed as a set of Boolean functions [10,6]. Propagation Char- 
acteristic(PC) and Strict Avalanche Criteria(SAC) are important properties of 
Boolean functions to be used in S-boxes. Preneel et al [10] provided basic con- 
struction techniques for Boolean functions with these properties. 

Propagation Characteristic and Strict Avalance Criteria. Let be an tuple 
1 . . . „ and ~ G {0 1}”. A function / G is said to satisfy 

(1) SAC if /( ) 0 /( 0 “) is balanced for any “ such that t{~) = 1. 

(2) SAC(fc) if any function obtained from / by keeping any k input bits constant 
satisfies SAC. 

(3) PC( ) if /( ) 0 /( 0 ~) is balanced for any “ such that 1 < t{~) < . 

(4) PC( ) of order k if any function obtained from / by keeping any k input bits 
constant satisfies PC( ). 

In [10], it has been shown that for balanced SAC(fc) functions on variables, 

(/) < — k — 1. Recently in [6], balanced SAC(fc) functions on variables 

with (/) = — k — 1 has been identified for — k — 1 = odd. However, 

construction of such functions for — k — 1 = even has been left as an open 
problem. In [6], balanced SAC(fc) functions with high algebraic degree have been 
proposed. However, balanced SAC(fc) functions with both high algebraic degree 
and high nonlinearity have not been studied. PC( ) of order k functions with 
good nonlinearity and algebraic degree have been reported in [6] . 

In Section 8, first we improve the algebraic degree and nonlinearity results of 
the PC( ) of order k functions reported in [6]. Then motivated by the construc- 
tion methods of SAC(fc) functions in [6], we introduce a new cryptographic crite- 
rion called the restricted balancedness of Boolean functions and show that certain 
types of bent functions satisfy this property. Also we modify the functions pro- 
vided by Patterson and Wiedemann [9] to obtain restricted balancedness while 
keeping the nonlinearity unchanged. For the first time we consider the prop- 
erties of balancedness, SAC(fc), algebraic degree and nonlinearity together. We 
construct balanced (using the functions with restricted balancedness) SAC(fc) 
functions in with maximum possible algebraic degree —k — 1 and very high 
nonlinearity for k < f — 1. This also shows that there exists balanced SAC(fc) 
functions on variables with (/)= — fc— 1 = even, which was posed as an 

open question in [6]. Also, we present an interesting result on resilient functions 
satisfying PC(fc). In a previous work [15], it was shown that resilient functions 
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satisfy propagation characteristics with respect to a set of input vectors, but not 
PC(fc) for some k. 

2 Preliminaries 

The Hamming weight (or simply the weight) of a binary string s is denoted 
by t(s) and is the number of ones in the string s. The length of a string s is 
denoted by | s | and the concatenation of two strings si and S 2 is written as siS 2 - 
Given a string s, we define s° to be the string which is the bitwise complement 
of s. The operation 0 on two strings performs the bitwise exclusive OR 
of the strings and . 

Let Si S 2 be two bit strings of length each. Then #(si = S 2 ) (resp. #(si ^ 
S 2 )) denotes the number of positions where si and S 2 are equal (resp. unequal). 
The Hamming distance between two strings si and S 2 , is denoted by (si S 2 ) and 
is given by (si S 2 ) = #(si S 2 ) = t(si 0 S 2 ). The Walsh distance between the 

strings si and S 2 is denoted by (si S 2 ) and is given by (si S 2 )=#(si = 
S 2 ) — #(si 7 ^ 52 )- The relation between these two measures is as follows. Let 
Si S 2 be two binary strings of length each. Then (si S 2 )= —2 (si S 2 ). 

Given a bit and a string s = sq . . . s„_i, the string AND s = Sq . . . s(j_i, 
where s^ = AND s^. The Kronecker product of two strings = 0 ■ ■ ■ n-i and 
= 0 ■ ■ ■ m-i is a string of length , denoted by 

0 = ( 0 and ) . . . ( n-i and ). The direct sum of two strings and , 
denoted by $ is given by $ = ( 0 °) 0 ( '^ 0 ). As an example, if / = 01, 
and = 0110, then /$ = 01101001. Note that both the Kronecker product and 
the direct sum are not commutative operations. The following result will prove 
to be important later. 

Lemma 1. Let f\ he strings of equal length and a string of length . Then 
(/iS /2$ ) = X (/i h). 

Four basic properties of direct sum of Boolean functions are given below 
without proof (see also [9,15]). 

Proposition 1. Let /( „ . . . 1 ) G fin and ( „ . . . 1 ) G fim, with 

{ n ■ ■ ■ i}n{m... i} = 0. Then /$ is in fln+m and 

(a) The ANF of /$ is given by f{ „■■ ■ 1 ) © ( m ■ ■ ■ i)- 

(h ) /$ is balanced iff at least one of f and is balanced. 

(c) Let f be ki-resilient and he k 2 -resilient. Then /$ is max(fci k 2 ) -resilient. 
Also /$ is -resilient if at least one of f or is -resilient. 

(d) (/$) = 2" ()02™ (/)-2 (/) ( ). 

An -variable Boolean function /( „ . . . 1 ) is said to be affine if the ANF of 
/ is of the form /( „ ... 1 ) = 0”=i i i © for i G {0 1}. If is 0, then 

the function is said to be linear. Also / is said to be nondegenerate on t variables 
if t out of i’s are 1 and rest are 0. Next we define the following subsets of 
linear/affine functions. 

1. The set „(fc) (resp. n{k)) is the set of all -variable linear functions (resp. 
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affine functions) which are non-degenerate on exactly k variables. 

2. n(k) = „(fc)U...U „( ) and „(fc) = „(1)U...U „(fc). 

3. n{k) = „(fc)U...U „( ) and „(fc) = „(1)U...U „(fc). 

4. „= „(0)U „(1)U...U „( ) and „= „(0) U „(1)U...U „(). 

The sets „ and „ are respectively the sets of all linear and affine functions of 
variables. The following result states three useful properties of affine functions. 

Lemma 2. (a) Let € „( ) and k {1 < k < ) be an integer. Then = i$ 2 
for some 1 G n-k{ ) and 2 G fc( — ) for some > 0. 

(b) Let I 2 G „. Then (1 2 ) = 0 2" 2"-i (resp. (1 2 ) = 2" -2" O; 

according as 1 = 2 , 1 = 2 or 2 or 2 - 

(c) Lf is in „( +1), then is -resilient. 

Siegenthaler [16] was the first to define Cl functions and point out its importance 
in stream ciphers [17]. A useful characterization of correlation immunity based 
on Walsh Transform was obtained in [5]. The following result translates the 
Walsh transform characterization of correlation immunity to Walsh distances. 

Theorem 1. A -variable Boolean function f is correlation immune of order 
, iff (/ ) = 0; for all G „( ). 

3 Construction Ideas for Resilient Functions 

3.1 Basic Results 

We first define two subsets of Later we will provide construction methods 
for certain subsets of these sets which have good cryptographic properties. 

Definition 1. 

1. T{ k ) = {/Gf2„:/ = /o.../ 2 -._i /. G fc( ) t(/i) = 2'=-!}. 

2. Ti{ k ) = {/ G : / = /o ■ ■ ■ / 2 ’»-'=-i /i G fc( + Ill- 

Theorem 2. r{ k ) C n( )■ 

Proof : Observe that if / and are resilient of order then so is / . The result 
then follows from repeated application of this fact. □ 

Since any function in fc( -|- 1) is -resilient, we have the following result. 

Lemma 3. Ti{ k ) C T{ k ). 

The set A = U „>3 Ui<r „<„-1 [Jm+i<k<n A( fc ) was first obtained by 
Camion et al in [I], though in an entirely different form. We will show that the 
extension obtained in Theorem 2 is important and provides optimized functions 
with significantly better nonlinearities. 

Theorem 3. Let f G T{ k ) be of the form /o ■ ■ ■ / 2 «-'=-i- Let the logical 
AND of variables, (A . . . G {1 . . . fc|) be a term which occurs 

in the ANF of an odd number of the fi ’s. Then the term „ . . . fc+i . . . i,. 

occurs in the algebraic normal form of f. 
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Corollary 1. Let f G A( k ) be of the form fo . . .f 2 n-k_i and let i (i € 
{1 ... fc}) be a variable which occurs in an odd number of the fi’s. Then the 
term „ . . . n-k+i % occurs in the algebraic normal form of f and hence f is 
of degree — k+1. Moreover, the maximum degree — — 1 zs attained when 

k= +2. 

Corollary 1 was obtained in [15] and it places a restriction on the value of k 
for optimized functions in Ci( k ). However, this restriction can be lifted by 
using Theorem 3. 

Lemma 4. A degree optimized ( — — 1 ) function is always nonde- 

generate. 

The ANF of the functions in T and Ti are not simple. This is important from 
a cryptographic point of view. Given k, in most cases it is possible to choose 
two functions fi and / 2 , such that the ANF’s of both fi and /2 are complicated 
and fi 0 /2 is nondegenerate and has a complicated ANF. In particular, one can 
choose fi and / 2 , such that all three functions fi /2 and fi 0 /2 do not depend 
linearly on any input variable. It is also possible to design functions such that 
each variable occurs in a maximum degree term. This is possible by ensuring 
each variable occurs an odd number of times as mentioned in Corollary 1. 

In the next four subsections we present the ideas behind the basic construc- 
tion techniques to be used in this paper. In the later sections we combine several 
of these ideas to construct resilient functions with very high nonlinearities. 

3.2 Method Using Direct Sum with Nonlinear Functions 

We first consider the set Ti( k ). A function /inCi( k )isa concate- 
nation of affine functions in k{ + !)• Since there are 2”“^ slots to be filled 

and a maximum of = 0 ... 0 linear functions in fc( 0 1), it 

follows that at least one linear function and its complement must together be 
repeated at least t = ^ ] times. We call a linear function and its comple- 

ment a linear couple. When we say that a linear couple is repeated t times, we 
mean that the corresponding linear function and its complement are repeated t 
times in total. Using Lemma 2, any affine function in „ can be considered 
to be a concatenation of some linear couple in k- Thus if one is not careful in 
constructing /, it may happen that / and agree at all places for some linear 
couple repeated t times in /. This means that the nonlinearity drops by t2^~^ 
and gives a lower bound of 2”“^ — t2^~^ on the nonlinearity of /. This is the 
bound obtained in [15]. However, one can construct / G Fi( k ) with signif- 
icantly better nonlinearities. The following result is the key to the construction 
idea. 

Theorem 4. Let / G A( k ) be of the form f\...fp where, = for 

some and for each i, fi is in Qk+r and is of the form fi = S i, where i is a 
maximum nonlinear function on variables and i is in k{ + !)• AZso the 
i’s are distinct. Then (/) = 2"“^ — (2’’ — 2 x ( ))2*^“^. 
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Proof : By construction / is a concatenation of linear couples i ° from 
fc( + !)• Let be in „ and is a concatenation of linear couple ° for 

some in fc- If % for any i, then (/ ) = 2"“^. On the other hand 

if j = , for some i, then (/ ) = (2”“^ — + (Si rjS ), for 

some rji in r- From Lemma 1, {Si rjS ) = 2^ { % Vi) so (/ ) = 
2”“^ — (2’’ — 2 ( i ?7i))2^“^. Since j is a maximum nonlinear function on vari- 
ables, ( i) = ( ) and so ( ) < ( i ? 7 i) ^ 2’’ — ( ). Hence 

we get, 2"-i - (2’' - 2 ( ))2'="i < (/ ) < 2""i -h (2’' - 2 ( 

This gives (/) = 2"-i - (2’' - 2 x ( ))2'=-b □ 



3.3 Fractional Nonlinearity and Its Effect 

In the previous section we considered the case when each linear couple is re- 
peated t times, where t is a power of 2. In general it might be advantageous to 
repeat a linear couple t times even when t is not a power of 2. To see the advan- 
tage we need to introduce the notion of nonlinearity of ’’fractional functions”. 
Let 2”“^ t < 2”. Given a string of length 2”, let i st{ t) be a string con- 
sisting of the first t bits of . The (fractional) nonlinearity of a string of length 
t is denoted by / ( ) and defined as f ( ) = niinjgi?^ { i st{ t) ). 

Given a positive integer t, the maximum possible fractional nonlinearity at- 
tainable by any string of length t is denoted by (t) and defined 

as (t) = maXgg{o,i}* / ( )• When t = 2”, (t) = 

( ). Also (2” + 1) = ( ) and (2” - 1) = 

( ) — 1. It is clear that (t) is a nondecreasing function. If a 

linear couple is repeated 2” times, then by Theorem 4, the fall in nonlinearity 
is by a factor of (2” — 2 x ( )). Motivated by this we define Ejfect{t) = 

t — 2 {t) as the factor by which nonlinearity falls when a linear couple 

is repeated t times. In the construction of a function / in Ti( k ) if the dis- 
tinct linear couples are repeated G . . . tp times then (/) = mini<i<p(2”“^ — 
2^~^Effect{ti)). The interesting point about Effect{t) is that it is not a monotone 
increasing function. An important consequence of this is that the nonlinearity 
may fall by a lesser amount when a linear couple is repeated more times. 

1. Effect{2^-1) = 2”-l-2( ( )-l) = 2^+l-2 ( ) = Effect {2^ +1) > 

Effect{2-). 

2. Effect{2^) > Effect{2^-^) and Effect{2'^) > Effect{2^~‘^ + 1). 

3. If is odd, Effect{2^) > Effect{2^~^ + I). 

4. If is even. Effect {2'") Effect {2'"~^ + I), assuming ( — 1) = 2”“^ — 

r — 2 

2“2“ . If — 1 > 15, the calculations are more complicated because of the existence 
of functions in [9] . 

One can also define fractional nonlinearity and Effect {) for balanced strings 
(provided t is even). We believe that the idea of fractional nonlinearity is im- 
portant and to the best of our knowledge it has not appeared in the literature 
before. 
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3.4 Use of All Linear Functions 

Here we show how to extend the set A- To construct a function / G A( k ) 
we have to concatenate affine functions in k{ + !)• However, it is possible to 
use all the affine functions in k to construct -variable, -resilient functions. 
Let be a function in ^ which is nondegenerate on (1 < < ) variables. 

Then ° is 1-resilient and repeating this procedure — -1-1 times one can 

construct a function in k+m-r+i{ + !)• The linear couple ° can then 
be used in the construction of -resilient functions. The importance of this 
technique lies in the fact that it helps in reducing the repetition factor of linear 
couples in fc( -|- 1). However, one should be careful in ascertaining that the 
loss in nonlinearity due to the use of affine functions from fc( ) does not 
exceed the loss in repeating linear couples from fc( -|- 1). In Theorem 9 and 
Theorem 10, we show examples of how this technique can be used to construct 
optimized functions. 



3.5 Use of Nonlinear Resilient Function 

Here also we extend Fi, though in a different way. Corollary 1 places a restric- 
tion on the value of fc in A( k ) for optimized functions : k = +2. This 

in turn restricts the number of linear couples to be used in the construction to 
-|- 3, thus increasing the repetition factor. However, if we allow k > +2, 

the problem is that the degree will fall. To compensate this we use one non- 
linear -resilient function on k variables and having degree k — — 1 with 

the maximum possible nonlinearity. By Theorem 3, the overall function will 
have degree — — 1 but the number of available linear couples increases to 

I fc( + 1) I > I m+ 2 { + 1) I- This reduces the repetition factor. In Sub- 

section 5.2, we outline a design procedure for optimized functions based on this 
idea. Also in Section 4, we show how all the above ideas can be combined to 
disprove the conjecture of Pasalic and Johansson [8] for optimized functions. 

4 Nonlinearity of Resilient Functions 

A proper subset of A was considered in [2], where only concatenation of lin- 
ear (not affine) functions were used to construct functions in A - In particular, it 
was shown in [2] that the maximum possible nonlinearity for -variable resilient 
functions in is 2”“^ — 2L5-J . In a more recent paper, Pasalic and Johansson [8] 
have shown that the maximum possible nonlinearity of 6-variable, 1-resilient 
functions is 24. The same paper conjectured that the maximum possible non- 
linearity of -variable, 1-resilient functions is 2”“^ — 2 L 7 J. We provide infinite 
counterexamples to this conjecture. In fact, we show that given a fixed order of 
resiliency , one can construct -variable functions which are -resilient and 
have nonlinearity greater that 2”“^ — 2 L 7 J . Moreover, the conjecture is disproved 
for optimized functions as well as for functions in A- 
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Theorem 5. Let be a fixed positive integer. Then there are infinitely many 
odd positive integers o (resp. even positive integers e), such that one can con- 
struct functions f of o (resp. e) variables which are -resilient and (/) > 
2 "o-i _ 2^ (resp (/) > - 2 ^ ). 

Proof : First note that if we can prove the result for odd number of variables 
and for all >1, then the result is proved for even number of variables and all 

> 1 . We also need a proof for even number of variables and = 1 . These we 
proceed to do via the following sequence of results. □ 

Theorem 6. Let be a fixed positive integer. Choose e i 2 such that (a) 
1 + 2 is even, (b) 2 — 1 = e 1 = 2fc, for some k > 4, (c) ^ < e < 1, 
(d) (^) + ... + — 1. Then it is possible to construct an 

resilient function on = 1 + 2 + 15 variables having nonlinearity greater 

than 2”“^ — 2 “ 2 “. Moreover, it is possible to construct such functions having 
maximum degree — — 1. 

Proof : First we construct an -resilient function on = 1+2 variables 
having nonlinearity ( ) = 2^“^ — 2^“^ — 2”^“^. Then we let / = $ , where 
is a function on 15 variables having nonlinearity ( ) = 16276 = 2^^ — 108. This 
can be constructed using the method of [9] . The function / is -resilient (from 
Proposition 1) and the overall nonlinearity of / is obtained as (/) = ( )2^ -|- 

( )2i5-2 () (). Simplifying, we get (/) = 2«+i4 - 108(2^^^ -h l)2"b 

Using 2 — 1 = 2fc, this simplifies to (/) = 2'^+^^ — 108(2^ -I- 1)2"F On the 
other hand, = 7-1- 1 -I- fc. Since 108(2^ -I- 1) 2^+^ for fc > 4, we get 

(/) > 2”“^ — 2^^ . Thus if we show how to construct then the proof will be 
complete. 

The function is in Fi( 1 ) and is constructed in a way similar to that 

in Theorem 4. Since is to be -resilient we are restricted to using linear cou- 
ples from +1) and there are 2”^ — linear couples in m( + 1), 

where, = — 1 These have to be used to fill 

up 2”^ slots and so the maximum repetition factor for each linear couple is 
[2^] = 2 " 2 -"i -I- 1 by choice of the parameters e 1 2 - Thus each linear couple 

is repeated either 2"^“”i -I- 1 times or 2"^“"i times. Suppose linear couples 
are repeated 2"^“"i -I- 1 times and linear couples are repeated 2”^“”i times. 
Let 1 ... a be distinct linear functions from -|- 1) and 1 ... b 

be distinct linear functions from +1) which are also distinct from 

1 . . . a- Let 1 . . . a and 1 . . . h be bent functions of 2 — 1 vari- 
ables. The function is a concatenation of the following sequence of functions: 

1 $ 1 . . . aS a 1$ 1 . . . h$ h 1 ■ ■ ■ a- 

Using the same idea as in the proof of Theorem 4 one can show that ( ) = 
2^“^ — (22“^ -|-2”i“^). This completes the proof of the first part of the Theorem. 

To obtain maximum possible degree — — 1 in the above construction we 

do the following. In the constructed function /, replace the last 2"^ bits by an 
i-variable, -resilient optimized function. Using Theorem 3 it follows that / 
becomes optimized. Also nonlinearity remains greater than 2"“^ — 2^~ . □ 
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Example: For = 1, choose i = 10 2 = 16 and e = |. This provides 1- 

resilient, Al -variable functions f with nonlinearity — 2^°+52 x > 2 ^° — 2 ^°. 
To obtain maximum degree 39, replace the last 2”^ = 1024 bits of such a function 
f by a nonlinear IQ-variable, 1-resilient, degree 8 function (see Theorem 9 later). 
This provides (41 1 39 ) function with > 2^° — 2^° + 51 x 2^°. For = 2, 

choose 1 = 16 2 = 24 and e = 5 - This provides 2-resilient, 55-variable func- 

tions with nonlinearity 2 ®^ — 2 ^^ + 212 x 2 ^®. As before we can obtain (55 2 52 ) 
functions with > 2 ®^ — 2 ^^ + 211 x 2 ^®. 

Corollary 2. The functions f and constructed in the proof of Theorem 6 
belong to A- 

Corollary 3. For odd , let f be an -variable, -resilient function having 
(/) > 2”“^ — 2t“ and let be a 2k-variable bent function. Then /$ is an 
-\- 2k-variable, -resilient function with (/$ ) > — 2 2 . Con- 

sequently, if Theorem 6 holds for some odd o; then it also holds for all odd 
> 0 - 

To prove Theorem 5, the only case that remains to be settled is =1 for even 
number of variables. 

Theorem 7. For each even positive integer > 12, one can construct 1-resilient 
functions f of -variables having (/) > 2”“^ — 2^. Moreover, f is in Fi. 

Proof : Let = 2 and consider the set A (2 — 1 1). We show how to 

construct a function in A (2 ~ 1 1) having nonlinearity 2 ^^“^ — 3 x 2 ^“^ which 

is greater than 2 ^^“^ — 2 ^. Since we are constructing functions in A(2 — 1 1) 

we have to use linear couples from the set p_i(2). The number of available 
linear couples is 2^~^ — . Since there are 2^+^ slots to be filled the maximum 
repetition factor is Thus the linear couples are to be repeated 

either 5 times or 4 times. Then as in the construction of in the proof of 
Theorem 6 , one can construct a function / having nonlinearity 2^^“^ — 3 x 2^~^. 
Since f is a concatenation of linear couples from p-i(2) it follows that / is 
1 -resilient. □ 

The above constructions can be modified to get optimized functions also. We 
illustrate this by providing construction methods for (2 12—2 ) functions 

with > 2 ^P“^ — 2P for > 6. The constructed functions are not in A- 

Theorem 8 . For > 6 , it is possible to construct (2 12—2 ) functions 

with greater than 2 ^P“^ — 2 ^. 

Proof : As in the proof of Theorem 7, we write 2 = ( -|-l)-l-( — 1) and 
try to fill up 2 ^+^ slots using 1 -resilient ( — l)-variable functions to construct a 
function / G fi 2 p. As before we use linear couples from p_i( 2 ), but here we 
use these linear couples to fill up only 2^+^ — 1 slots. The extra slot is filled up 
by a balanced (—11 — 3 ) function . The repetition factor for each linear 

couple is again at most 5 and the construction is again similar to Theorem 6 . The 
nonlinearity is calculated as follows. Let be in 2 p- The function contributes 
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at least to (/ ). Ignoring the slot filled by , the contribution to (/ ) from 
the linear couples is found as in Theorem 4. This gives the following inequality 
22p-i_2P+ < (/ )<22p-i- 22P-1+2P- .Hence (/ )=2^p~^-2p+ . 

An estimate of is obtained as follows. If — I is odd we use Theorem 10. If 
— I is even, then we recursively use the above construction. □ 

It is also possible to construct 1-resilient, 10-variable functions having non- 
linearity 484 > 2® — 2®. This construction for optimized function combines all 
the construction ideas given in Section 3. The result disproves the conjecture of 
Pasalic and Johansson [8] for 10-variable functions. 

Theorem 9. It is possible to construct (10 1 8 484) functions. 

Proof : We write 10 = 6-1-4 and concatenate affine functions of 4 variables 
to construct the desired function /. However, if we use only affine functions 
then the degree of / is less than 8 . To improve the degree we use exactly one 
nonlinear (4 12 4) function . By Theorem 3, this ensures that the degree 
of the resulting function is 8 . This leaves 2® — 1 slots to be filled by affine 
functions of 4 variables. If we use only functions from 4 ( 2 ), then the maximum 
repetition factor is 6 and the resulting nonlinearity is low. Instead we repeat the 
11 linear couples in 4 ( 2 ) only 5 times each. This leaves 2® — 1 — 55 = 8 
slots to be filled up. We now use functions from 4 ( 1 ). However, these are not 
resilient. But for G 4 ( 1 ), is resilient. Since there are exactly 4 functions in 
4 ( 1 ) and each is repeated exactly 2 times, this uses up the remaining 8 slots. 
Let 1 . . . 11 be bent functions on 2 variables and let 1 . . . 11 be the 11 

linear functions in 4 ( 2 ). Also let 1 ... 4 be the 4 linear functions in 4 ( 1 ). 

Then the function / is concatenation of the following sequence of functions: 
1 $ 1 ... 11 $ 11 1 ° ... 44 1 ... 11 . The nonlinearity calculation of 

/ is similar to the previous proofs. Let be in 10 . The worst case occurs when 
is concatenation of i and ° for some 1 < z < 11. In this case (/ ) = 
(2® - 1 - 5)2® -h 2^ -h 4 = 484. □ 

The functions constructed by the methods of Theorem 9 and Theorem 8 
are not in Ti and do not require the use of a 15-variable nonlinear function 
from [9]. It is important to note that the nonlinearity of functions constructed 
using Theorem 9 cannot he achieved using concatenation of only affine functions. 
Moreover, in this construction it is not possible to increase the nonlinearity by 
relaxing the optimality condition on degree, i.e., allowing the degree to he less 
than 8. 

The maximum possible nonlinearity of Boolean functions is equal to the cov- 
ering radius of first order Reed-Muller codes. Patterson and Weidemann showed 
that for odd >15 the covering radius and hence the maximum possible nonlin- 
earity of an -variable function exceeds 2”“^ — 2 “5-. Seberry et al [14] showed 
that for odd > 29, it is possible to construct balanced functions with non- 
linearity greater than 2"“^ — 2 “ 2 “. Theorem 6 establishes a similar result for 
optimized resilient functions of odd number of variables for > 41. 
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5 Construction of Optimized Resilient Functions 

Here we consider construction of optimized functions. We start with the following 
important result. 

Theorem 10 . It is possible to construct (a) {2 + 1 0 2 — 2 ^) functions 

for >l,(b ){2 +112 - 1 2^P - 2P) functions for > 2 , (c) (2 12- 

2 2 ^P“^ — 2 P) functions for > 2 and (d) {2 2 2 —3 2 ^P“^ — 2 p) functions for 
> 3 . 

Proof : We present only the constructions (proofs are similar to Section 4 ) . 

(a) If = 1 , let / = 3 0 12- For > 2 consider the following construc- 
tion. Let 1 2 3 be the functions in 2(1) and 4 the (all zero) function in 

2(0). Let 1 be a bent function on 2 — 2 variables, 2 be a maximum non- 
linear balanced function on 2 — 3 variables. If = 2 let 3 4 be strings of 

length 1 each and for > 3 let 3 4 be maximum nonlinear strings of length 

22p-4 _|_ 2^ 22p-4 _ 2 respectively. Let / be a concatenation of the following 

sequence of functions: 1$ 1 2S 4 3S 2 4$ 3- It can be shown that / is a 

(2 + 1 0 2 2^P - 2P) function. 

(b) Let 1 2 3 4 be the functions in 3(2) and 123 the functions in 

3(1). For = 2 , let / = 123 4. For = 3 , let / be the concatenation of the 

following sequence of functions. 

i$i 2^2 1 I 22 33 3 4 > where 1 and 2 are 2 -variable bent func- 

tions. For > 4, we have the following construction. Let i= i for 1 < z < 3 ,. 
Let 1 2 be bent functions of 2 — 4 variables, 3 4 5 be bent functions of 

2 — 6 variables and q 7 be two strings of lengths 2^P“® + 1 and 2^P“® — 1 and 
(fractional) nonlinearity (2 — 6) and (2 — 6) — 1 respectively. Let 

/ be a concatenation of the following sequence of functions. 

iS 1 2S 2 3S 1 4$ 2 5$ 3 6 $ 3 7$ 4- It can be shown that / is a (2 + 

112 - 1 2^P - 2P) function. 

(c) and (d) follow from (a) and (b) on noting that if / is a (2 + 1 2 — ) 

function then //° isa(2+2 +12— 2) function. □ 

Note that item (a), (b) of Theorem 10 can also be proved using different 
techniques by modifying a special class of bent functions. See [ 13 ] for the detailed 
construction methods. 



5.1 Method Using Direct Sum with a Nonlinear Function 

Here we consider the set Fi( k ) and show how to construct optimized func- 
tions with very high nonlinearities in this set. We build upon the idea described 
in Subsection 3 . 2 . Since we consider optimized functions. Corollary 1 determines 
k= +2 and at least one variable in { fc ... 1 } must occur in odd number of 

the /i’s. We recall from Subsection 3 . 3 , that ( 2 ’’ — 1 ) = ( ) ~ I> 

( 2 " + 1 ) = ( ), ( 2 ") = ( ) and Effect{t) = 

t -2 (t). 

Given and , we construct an optimized function /in+i( +2 ). 

We define a variable template to be a list of the form (s (si ti) ... (sfc tfc)). 
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where ^ Sj=i “ 2”“™“^. The value s is the number of 

distinct linear couples to be used from the set m+ 2 ( + 1) and for each j, 

(1 < j < k), Sj linear couples are to be used tj times each. While constructing 
template one has to be careful in ascertaining that at least one variable occurs 
in an odd number of functions overall. This gives rise to the various cases in 
Algorithm A. Since an -variable, ( — 2)-resilient function must have degree 1 
and hence be linear, we consider only the cases 1 < — 2. 



ALGORITHM A 



input: ( ) with 1 < — 2. 

output: A ( — — 1 ) function /. We determine in Theorem 11. 



BEGIN 

1. Let = -h 3 and 2’'-i < 2L Let z = - i.e., 

( — z)2’’ = Now several cases arise. 

2. = 0 z > 0: Here / is the concatenation of ( — z — 1) functions containing 

1 and the one function not containing i from the set m+ 2 { + !)• Output 

/ and STOP. 

3. = 0 z = 0, -I- 2 is odd: template = ( ( 1)). 

4. > 0 z = 0, is even: template = ( (-2 2’') (1 2’' -h 1) (1 2’' - 1)). 

5. > 0 z = 0, is odd: template = (| -h 2 (| - 1 2’'+i) (1 2’') (1 2’'-i -h 
1) (1 2’'-! - 1)). 

6. = 1 z > 0: template = ( — z-|-l( — z— 12)(2 1)). 

7. = 2 z > 1: template = ( — i + 2 ( — z— 14) (12) (2 1)). 

8. >2i=l, is even: template = { ( - 2 2’') (1 2’'-i -h 1) (1 2’'-i - 1)). 

9. > 2 z = 1, is odd: 



template = {^ 2^+^) (1 2 ’') (1 2^~^ + 1) (1 2^~^-l)). 

10 . > 2 i > 1 : template = ( - i + 2 { - i - 1 2 ’') (1 2 ’'- i ) (1 2’'"2 
1 ) (1 2 ’'-^- l )). 

11. Let template = (s (si ti) ... (sk tfc)). For each j, choose j ■ ■ ■ to be 

distinct linear functions from m+ 2 ( + 1) and j ■■■ to be strings of 

length tj and having maximum possible nonlinearity. (Note that the ’s may 
be fractional strings.) Then / is the concatenation of the following sequence of 
functions 



i3) 1 



SlQ Si 
1 ^ 1 



IQ 1 
2^ 2 



S2Q S2 
2^2 



IQ 1 
k 






Sk 

k ■ 



END. 



Theorem 11. Algorithm A constructs a { — — 1 ) -function f in 

Ti( -1-2 ), where the values of in different cases (corresponding to the 

line numbers of Algorithm A) are as follows. (2) 2”“^ — 2"’+^ (3) 2”“^ — 2™+^ 
2"-i-2™+iEj(fec<(2’'-hl) (5) 2^~^ -2^+^ Effect (2^+^) (6) 2^~^ -2^+“^ (7) 
2"-i_2™+2 (8)2^-^-2^+^Effect{2''-^ + l) (9) -2^+^ Effect{2''+^) (10) 

2"-i _2™+iEjffect(2’'). 

Example: Using Algorithm A it is possible to construct (9 3 5 224) functions 
having template = (6 (3 4) (1 2) (2 1)). 
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5.2 Use of Nonlinear Resilient Function 

Here we use the idea of Subsection 3.5 to provide a construction method for 
optimized resilient functions. The constructed functions are not in Ti. 

Let ( ) be the nonlinearity of a function obtained by Algorithm A with 

( ) as input. Similarly, let ( ) be the highest nonlinearity of a function 

obtained using Algorithm B (described below) on input ( ) and ranging 

from 1 to — — 2. We obtain an expression for ( ) in Theorem 12. Let 

( ) be the maximum of ( ) and ( ) . 

ALGORITHM B 

input : ( ), with 1 < — 2 and 1 < < — — 2. 

output : A balanced ( — — 1 c) function fc- The value of c is given 

in Lemma 5. 

BEGIN 

1. If =5, use Algorithm A with input ( ) to construct a function /. 

Output / and stop. 

2. Let = ("IS’ ) + - ^ + {ZtXl) “ti 2'-' [2212^1 < 2'. Let 

j _ _ 2"— (™+c+2) — f j g ^ _ j)2’’ = 2"“(™+c+2) 

3. z = 0 =0: template = ( — 1 ( — 1 1)). 

4. z > 0 =0: template = ( — z— 1( — z— 1 1)). 

5. z > 0 =1: template = ( — i ( — i — 1 2) (1 1)). 

6. z = 0 >0, is even: template = ( ( — 1 2’’) (1 2’’ — 1)). 

7. z = 0 >0, is odd: 

template = {^ + 2 (f - 1 2’'+i) (1 2’') (1 2’'-i) (1 2’'-i - 1)). 

8. z > 0 =2: template = ( + 1 ( — 1 4) (1 2) (1 1)). 

9. z = 1 >2, is even: template = ( ( - 2 2’') (1 2^~^) (1 2^~^ - 1)). 

10. z = 1 >2, is odd: 

template = 2^+^) (1 2’') (1 2^~^) (1 2^~^ - 1)). 

11. i>l >2: 

template = { -z + 2 ( -i-1 2’') (1 2’'-i) (1 2'^~‘^) (1 2*'-2 - 1)). 

12. Using template and linear couples from m+c+ 2 ( + 1), we first build a 

string /i as in Algorithm A. Then the function fc is fi , where is a ( + + 

2 1 + ) function, where = ( + + 2 ) . 

END. 

Note that the use of the function ( ) makes Algorithm B a recursive 

function. Let the nonlinearity of a function fc constructed by Algorithm B on 
input ( ) be s( ). 

Lemma 5. Let fc be constructed by Algorithm B. Then fc is a balanced ( 

— — 1 c) function, where c = s{ ) and the values of c in the 

different cases (corresponding to the line numbers of Algorithm B) are as follows 
.• 2"-i - 2^= + (4)2^-^-2’^+ (^5; 2"-i - 3 X 2'=-! + (6)2^-^-{l + 

Effect{2^-l))2'^-^+ ('7)2"-i-(l + Eifect(2’'+i))2'=-i+ ('.Sj 2"-i-3x2'=-i + 
(9) 2"-i-(l + Eifect(2’'-i-l))2'=-i+ (10) 2^-^-{l + Effect{2^+^))2'^-^ + 

('U; 2"-i-(l + Eifect(2’'))2'=-i+ where k = + +2, = ( + +2 ). 
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Algorithm B is used iteratively over the possible values of from 1 to — — 2 

and the function with the best nonlinearity is chosen. The maximum possible 
nonlinearity ( ) obtained by using Algorithm B in this fashion is given by 

the following theorem. 

Theorem 12. ( ) > i<c<n-m-2 s( )■ 

Example: Using Algorithm B one can construct (9 2 6 232) functions in 
r{9 5 2) having template (15 (15 1)) and o (5 2 2 8) function is used to fill 
the 16th slot. 



6 Comparison to Existing Research 



Here we show the power of our techniques by establishing the superiority of our 
results over all known results in this area. 

The best known results for — approach follows from the work of [2] . 
However, they considered only a proper subset of Ei and obtained a bound 
of 2”“^ — 2 L 7 J on the nonlinearity of resilient functions. Also in [8], it was 
conjectured that this is the maximum possible nonlinearity of resilient functions. 
All the results in Section 4 provide higher nonlinearities than this bound. In 
particular, this bound is broken and hence the conjecture is disproved for the 
set Ti as well as for optimized functions. 



n 


m = 


1 


m = 


2 


m = 


3 


m = 


4 




[7] 


[8] 


Our 


[7] 


[4] 


Our 


[7] 


nla 


nib 


[7] 


nla 


nib 


8 


108 


112 


112“ 


88 


- 


~IW 


80 


96 


80 


32 


96 


32 


9 


220 


236 


240*' 


216 


224 


232“ 


176 


224 


208 


160 


192 


160 


10 


476 


480 


484“ 


440 


- 


480*' 


432 


448 


464 


352 


448 


416 


11 


956 


976 


992*' 


952 


- 


984“ 


880 


960 


944 


864 


896 


928 


12 


1980 


- 


1996“* 


1912 


- 


1984*' 


1904 


1920 


1968 


1760 


1920 


1888 



aiAlgorithm A; 6: Theorem 10; c: Theorem 9; d: Theorem 8; e: Algorithm B. 

For the — approach the best known results follow from the work of [15,4], 
[7,8,18]. In [4], exhaustive search techniques are used to obtain (5 0 4 12) and 
(7 0 6 56) functions. For 9 variables, they could only obtain (9 0 7 240) func- 
tions and not (9 0 8 240) functions. Also such techniques cannot be used for 
large number of variables. In contrast. Theorem 10 can be used to construct 
(2 -1- 1 0 2 2^P — 2P) functions for all > 1 and hence is clearly superior to 

the results of [4]. 

In the Table, we compare the nonlinearities of optimized ( — — 1 ) 

functions. The columns and are the nonlinearities obtained by Algorithm 
A and Algorithm B respectively. We do not compare results with [15], since it is 
clear that Algorithm A significantly improves on the lower bound on nonlinearity 
obtained in [15]. 

The table clearly shows the superiority of our method compared to the pre- 
vious methods. Also it can be checked that the nonlinearities obtained in The- 
orem 11 are better than those obtained in [7] for all orders of resiliency. We 
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can construct (9 3 5 224) functions and (9 2 6 232) functions using Algorithm 
A and Algorithm B respectively. These improve over the (9 2 6 224) functions 
of [4] both in terms of order of resiliency and nonlinearity. 



7 Nonlinearity of Balanced Functions 

In this section we discuss the nonlinearity and algebraic degree for balanced 
functions. Patterson and Wiedemann [9] constructed 15-variable functions with 
nonlinearity 16276 and weight 16492. Seberry, Zhang and Zheng [14] used such 
functions to construct balanced functions with nonlinearity greater than 2”“^ — 
2^~ for odd > 29. In [14], there was an unsuccessful attempt to construct 
balanced 15- variable functions having nonlinearity greater than 16256 = 2^^ — 2^. 
First let us provide the following two technical results. 

Proposition 2. Let f & fin and f = / 1 / 2 , where fi fi G fln-i- If t{f) is odd 
then algebraic degree of f is . Moreover, if both t{f\) and t(/ 2 ) are odd then 
the algebraic degree of f is — 1. 

Proposition 3. Given a balanced function f G fin with (/) = , one can 

construct balanced f G fin with (/') > — 2 and (/') = — 1. 

Now, we identify an important result which is the first step towards con- 
structing a balanced 15- variable function with nonlinearity greater than 16256. 



Proposition 4. It is possible to construct f G fli 5 with nonlinearity 16276 and 
weight 16.364- 

Proof : Consider a function fi G fli 5 with (/i) = 16276 and t(/i) = 16492. 
From [9], we know that there are 3255 linear functions in 15 at a distance 16364 
from fi- Let be one of these 3255 linear functions. Define / = /i © . Then 
/ € ^^ 15 , (/) = (/i) = 16276 and t{f) = t(/i © ) = (/i ) = 16364. □ 

Next we have the following randomized heuristic for constructing highly non- 
linear balanced functions for odd >15. 

Algorithm 1 : RandBal( ) 

1. Let / be a function constructed using Proposition 4. Let =2fc+15, fc>0 
and let G fin be defined as follows. For fc = 0, take = /, and for fc > 0, take 

= /( 1 . . . 15 ) © ( 16 ■ ■ ■ n), where G fl 2 k is a bent function. Note 

that ( ) = 2"-i -2^ +20 X 2^= and t{ ) = 2""i - 20 x 2^=. 

2. Divide the string in fin into 20 x 2^ equal contiguous substrings, with the 
last substring longer than the rest. 

3. In each substring choose a position with 0 value uniformly at random and 
change that to 1. This generates a balanced function h G fin- 

4. If ( h) > 2”“^ — 2^, then report. Go to step 1 and continue. 

We have run this experiment number of times and succeeded in obtaining 
plenty of balanced functions with nonlinearities 2^^ — 2^ + 6, 2^® — 2® + 18, 
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2^® — 2® + 46 and 2®® — 2^® + 104 respectively for 15, 17, 19 and 21 variables. It is 
possible to distribute the O’s and I’s in the function in a manner (changing step 
2, 3 in Algorithm 1) such that weight of the upper and lower half of the function 
are odd. This provides balanced functions with maximum algebraic degree ( —1) 
and the same nonlinearity as before. Note that, running Algorithm 1 for large 
is time consuming. However, we can extend the experimental results in a 
way similar to that in [9]. Consider a bent function ( i . . . 2 k) € f^ 2 k and 

/( 1 . . . 2 i) with nonlinearity 2®® — 2^® + 104 as obtained from Algorithm 

RandBal(). Let G fi 2 i+ 2 k such that = 0 /. Then it can be checked that 
( ) = 2®®+®^ — 2^®+^ + 104 X 2^. These functions can be modified to get 
algebraic degree ( — 1) as in Proposition 3. Thus we get the following result. 

Theorem 13. One can construct balanced Boolean functions on = 15 + 2k 
(fc > 0) variables with nonlinearity greater than 2”“^ — 2“2“. Moreover, such 
functions can have algebraic degree ( — 1). 

Dobbertin [3] provided a recursive procedure for modifying a general class of bent 
functions to obtain highly nonlinear balanced Boolean functions on even number 
of variables. A special case of this procedure which modifies Maiorana-McFarland 
class of bent functions was provided in [14]. For even , it is conjectured in [3] 
that the maximum value of nonlinearity of balanced functions, which we denote 
by 0, satisfies the recurrence: ( ) = 2”“^ — 2^+ (J). 

We next provide a combined interlinked recursive algorithm to construct 
highly nonlinear balanced functions for both odd and even . Note that for even 
number of variables. Algorithm 2 uses a special case of the recursive construction 
in [3]. Further we show how to obtain maximum algebraic degree. The input to 
this algorithm is and the output is balanced / G with currently best known 
nonlinearity. 

Algorithm 2 : BalConstruct( ) 

1. If is odd 

a) if 3 < <13 construct / using Theorem 10(a). 

b) if 15 < < 21 return / to be the best function constructed by RandBal( ). 

c) if > 23 

(i) Let 1 G f?n- 2 i be bent and i G 1721 be the best nonlinear function 
constructed by RandBal( ). 

Let fi G 17„ be such that f\= i 0 i. 

(ii) Let 2 = BalConstruct( — 15) and 2 G I7i5 as in Proposition 4. 

Let /2 G fin be such that /2 = 2 0 2 - 

(iii) If (/i) > (/ 2 ) return fi else return / 2 . 

2. If is even 

Let = BalConstruct( |^). Let / be the concatenation of followed by 2's' — 1 
distinct nonconstant linear functions on J variables. Return /. 

End Algorithm. 

The following points need to be noted for providing the maximum algebraic 
degree — 1. 

1. For odd < 13, Theorem 10(a) guarantees degree ( — 1). 

2. For odd , 15 < < 21, modification of algorithm RandBal() guarantees 
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algebraic degree ( — 1) without dropping nonlinearity. 

3. For odd > 23, using Proposition 3, degree ( — 1) can be achieved sacrificing 
nonlinearity by at most 2. 

4. For even , recursively ensure that algebraic degree of (in Step 2 of 
BalConstructO) is f — 1- 

In this section we have shown how to heuristically modify the Patterson- 
Wiedemann functions to obtain balancedness while retaining nonlinearity higher 
than the bent concatenation bound. However, the question of mathematically 
constructing such functions remains open. Also settling the conjecture in [3] is 
an important unsolved question. 

8 Propagation Characteristics, Strict Avalanche Criteria 

In this section we provide important results on propagation characteristics and 
strict avalanche criteria. The following is a general construction of Boolean func- 
tions introduced in [6] . 

/( 1 , 1 ...^ ,) = [ ly .] [ 1 ■■■ ( 1 ... .), (*) 

where is an s x t binary matrix and ( i . . . s) is any function. 

Under certain conditions on , the function / satisfies PC( ) of order k (see [6]). 
Moreover, according to the proof of [6, Theorem 16], (/) = 2* ( ) and 

(/) = ( ). It is possible to significantly improve the results of [6] by 

using functions constructed by the methods of Section 7. 

Theorem 14. For odd s, it is possible to construct PC{ ) of order k function f 
such that (a) (/) = s — 1 and (/) > 2*+^“^ — 2*+^ for 3 < s < 13, 

(^) if) = s if) > 2*+^“^ — 2*+^ for s > 15. 

Proof : For 3 < s < 13 s odd, we can consider G as the function available 
from Theorem 10(a) with algebraic degree s— 1 and nonlinearity 2®“^ — 2“2~ . For 
s> 15, one can consider G with nonlinearity 2®“^ — 2 “ 2 “ -1-20x2^“ — 1 and 
algebraic degree s. This can be obtained by considering a function on s variables 
with maximum known nonlinearity and then making t( ) odd by toggling one 
bit. This will provide the full algebraic degree and decrease the nonlinearity by 
at most 1 only. □ 

For odd s, the corresponding result in [6] is (/) = and (/) > 
2*+®-i — 2*^ ~ which is clearly improved in Theorem 14. 

Now we show how to obtain maximum algebraic degree in this construction 
at the cost of small fall in nonlinearity. For odd s between 3 and 13, ( ) can be 

made s by changing one bit of . This decreases ( ) by one. The corresponding 
parameters of / are (/) = s and (/) > 2*+®“^ — 2*^ ~ —2*. For even s, the 
result in [6] is (/) = | and (/) > 2*+®“^ — 2 *+ 2 “^. As before by changing 
one bit of we can ensure (/) = s and (/) > 2*+®“^ — 2*+5~i — 2*. Also 
in [13], we show that it is possible to construct PC(1) functions with nonlinearity 
strictly greater than 2"“^ — 2 “5- for all odd > 15. 

Next we turn to the study of SAC(fc) combined with the properties of bal- 
ancedness, degree and nonlinearity. This is the first time that all these properties 
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are being considered together with SAC{k). The proofs for the next few results 
are quite involved. Hence we present the constructions clearly and only sketch 
the proofs. 

In [6], (*) has been used for the construction of SAC(fc) function by setting 
s = — fc— 1, t = fc+1 and to be the ( —k—1) x (fc+1) matrix whose all elements 
are 1. Under these conditions the function / takes the form /( i . . . n) = 
( 1 ©...© n-k-i){ „-fc©...^ n) ^ ( 1 - ^ Mo^over, ^was 

shown that / is balanced if | { | ( ) = 0 = 0} 1 = 1 { I ( ) = 

1 = 0} I where = ( i ... n-k-i)- It is important to interpret this 

idea with respect to the truth table of . This means that / is balanced if 
I 0 = 0 t{~) = even } = #{“ | (“) = 1 t{~) = even }. Thus, 

in the truth table we have to check for balancedness of restricted to the rows 
where the weight of the input string is even. In half of such places must be 
0 and in the other half must be 1. Motivated by this discussion we make the 
following definition of brEven (restricted balancedness with respect to inputs 
with even weight) and brOdd (restricted balancedness with respect to inputs 
with odd weight). 

Definition 2. Let G flp, = ( i ... p). Then is called brEven (resp. 

brOdd) i/#{ ( ) = 0 I t{ ) = even} = #{ ( ) = 1 I t{ ) = even} = 2^“^ 
(resp. #{ ( ) = 0 I t{ ) = odd} = #{ ( ) = 1 | t{ ) = odd} = 2 p-'^). 

The next result is important as it shows that certain types of bent functions can 
be brEven. This allows us to obtain balanced SAC(fc) functions with very high 
nonlinearity which could not be obtained in [6] . 

Proposition 5. For even, it is possible to construct bent functions G Tip 
which are brEven. 

Proof : First note that is brEven iff ° is brEven. Let =25.ForO<z< — 1 
let i G p be the linear function p p © ... © i i , where | ■ ■ ■ i is the f -bit 
binary expansion of i. We provide construction of bent functions ( i . . . p) 
which are brEven. Let = ( i . . . p). 

Case I .• I = 1 mod 2. Let = o/i ■ ■ ■ fq -2 q-i, where 

fi ■■■ fq -2 G { 1 . . . q -2 } ■■■ q- 2 } and for i ^ j, fi ^ /, and fi ^ ff. It 

is well known that such a is bent [11]. We show that is brEven. First we have 
the following three results which we state without proofs. 

(a) #{ o( 1 ■■■ |)=0| K I ■■■ p) = even } = 27-1 and 

#{ o( 1 ■■■ |) = 1| K 1 ■■■ p)=even} = 0. 

(b) Since the ffs are degenerate affine functions in p, it is possible to show 
that individually they are both brEven and brOdd. 

(c) Using the fact that = | is odd and q-i = i © ... © it is possible to 

show, q_i( 1 ... p) = 0 I t{ I .. . f) = even } = 0 and 

#{ q_i( 1 ... p) = 1 I t{ I ... p) = even} = 2i~^. Then using 

t{ 1 ... p) = t{ 1 ... p) + t{ p_|_i ... p) and the fact that is 
concatenation of o fi ■ ■ ■ fq -2 q-i it is possible to show that is brEven. 
Case 2: For | = 0 mod 2, the result is true for bent functions of the form 

= o/l ■ ■ - fq-2 q-1- □ 
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In [ 6 , Theorem 32] it has been stated that for — k — 1 = even, there exists 
balanced SAC(fc) functions such that (/) = — k — 2. The question whether 

such functions with algebraic degree — k — 1 exists has been left as an open 
question. The next result shows the existence of such functions which proves 
that the bound on algebraic degree provided in [ 10 ] is indeed tight for k < f — 1 - 

Theorem 15. Let ( — k — 1) > {k + 1), i.e. k < j — 1 and — k — 1 = 

even. Then it is possible to construct balanced SAC{k) function f G such 
that (/) = — k — 1. Moreover (/) = 2”“^ — 2"^^ — 2^+^. 

Proof : Use a bent function G Qn-k-i which is brEven. Out of the 
bit positions in (in the output column of the truth table), there are 
positions where t{ \ ... = odd and the value of at these positions 

can be toggled without disturbing the brEven property. Since is bent, t{ ) = 
even. Thus we choose a row j in the truth table where t{ i . . . n-k-i) = 
odd and construct ' by toggling the output bit. Thus t{ ') = t( ) ± 1 = 

odd. Hence by Proposition 2, ( 0 = — k — 1. Thus, /( i . . . n) = 

( 1 ©...© n-k-i){ „-fc©...© „)© '( 1 ... is balanced SAC(fc) 

with algebraic degree — fc— l.Also (0= ( ) — 1 = 2 ”“^“^ — 2 "”^”^ — 1 . 

Now, it can be checked that (/) = 2^+^ x ( 0 = 2”“^ — 2 ~t — 2^+^. □ 

Next we provide similar results for odd — k — 1. The result is extremely 

important in the sense that the functions constructed in [9] can be modified 
to get restricted balancedness and hence can be used in the construction of 
highly nonlinear, balanced SAC(fc) functions. We know of no other place where 
the functions provided by Patterson and Wiedemann [9] have been used in the 
construction of SAC{k) functions. 

Proposition 6 . For odd, it is possible to construct brEven G f2p with non- 
linearity (i) 2 p~^ — 2^ for < 12, and (a) 2P~^ — 2^ +20x2^^^ for >15. 

Proof : For < 13, the idea of bent concatenation and similar techniques as in 
the proof of Proposition 5 can be used. For > 15 the construction is different. 
We just give an outline of the proof. Let fi G I 7 i 5 be one of the functions 
constructed in [9]. Note that (/i) = 2^^ — 2^ + 20. Now consider the 32768 
functions of the form fi © , where G 15 . We have found functions among these 
which are brOdd (but none which are brEven). Let / 2 ( 1 ■ ■ ■ 15 ) be such a 

brOdd function. It is then possible to show that /a( 1 ■ ■ ■ 15 ) — /2( 1 © 

1 ■ ■ ■ 15 © 15 ) is brEven when t{ i . . . 15 ) is odd. Note that (/ 2 ) = 

(/a) = (/i)- Let ( 1 ... 2 fc) be a bent function on 2k variables. Define 

G f^l 5 + 2 fc S’® follows. =( 1 ©...© 2 fc)( ©/ 2 )©( 1 © I©---© 2 fc)( ©/s)- 
It can be proved that is brEven and ( ) = 2^^+^^ — 2^+^ + 20 x 2^. □ 

Theorem 16. Let ( — k — 1) > {k 1), i.e. k < ^ — 1 and — k — 1 = 

odd. Then it is possible to construct balanced SAC{k) function f G such that 
(/) = —k—1. Moreover, for 2 < — fc— 1<13, (/) = 2”“^ — 2“5“ — 2^+^ 

and for — fc — 1 > 15, (/)=2”“^— 2“^ +20 x2“*t —2^+^. 
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This shows that it is possible to construct highly nonlinear balanced functions 
satisfying SAC(fc) with maximum possible algebraic degree — k—1. Functions 
with all these criteria at the same time has not been considered earlier. 

Now we present an interesting result combining resiliency and propagation 
characteristics. In [15, Theorem 15], propagation criterion of -resilient func- 
tions has been studied. Those functions satisfy propagation criteria with a spe- 
cific set of vectors. However, they do not satisfy even PC(1) as propagation 
criteria is not satisfied for some vectors of weight 1. For even, we present a 
construction to provide resilient functions in which satisfy PC(J — 1 ). 

Theorem 17. It is possible to construct 1-resilient functions in even, 

with nonlinearity 2 ”“^ — 2^ and algebraic degree j — 1 which satisfy PC{^ — 1 ). 

Proof : Let / € f2n-2 be a bent function, even. Then it can be checked that 

( 1 ■■■ n-l) = (1© n-l)/( 1 ■■■ n- 2 )® n-l(l®/( 1® 1 ■■■ n-2 

® n- 2 )) is balanced and satisfies propagation criterion with respect to all 
nonzero vectors except ( i ... „_2 1). Also ( ) = 2 ”“^ — 2 ^. 

Let ( 1 ... n) = (1® n) ( 1 ■■■ n-l)® n( ( 1® 1 ■■■ n-1® 

„_i)). Then it can be checked that is balanced and satisfies propagation 
criterion with respect to all nonzero vectors except “ = ( i ... „_2 n-i = 

1 „ = 0), = ( 1 . . . „_i „ = 1) and ~ ® . Also is balanced and 

( ) = 2 "- 1 - 27 . 

Take ( i 2 ■ ■ ■ n- 2 ) in the construction of in l7n-i from / G fin -2 so 

that t{ I 2 ■■■ n- 2 ) = 5 - 1 . 

Also ( 1 ... n) = (1® n) ( 1 ■■■ n-l)® n( ( 1®1 n-l®l) 

is correlation immune [1]. Since is balanced, is also balanced which proves 
that is 1-resilient. Now consider “ = ( 1 . . . n -2 n-i = 1 n = 0), = 

( 1 = 1 ... n-i-i = 1 n-i -2 = !)• Since t{~) = 5-1 + 1 and t{ ) = we 

get, t{~ (B ) = f • Note that satisfies propagation criterion with respect to 
all the nonzero vectors except “ “® and hence satisfies PC(5 — !)• 

Since / G fin -2 is bent, it is possible to construct / with algebraic degree 
5 — 1. It can be checked that ()=(/)• Q 

9 Conclusion 

In this paper we have considered cryptographically important properties of 
Boolean functions such as balancedness, nonlinearity, algebraic degree, corre- 
lation immunity, propagation characteristics and strict avalanche criteria. The 
construction methods we propose here are new and they provide functions which 
were not known earlier. 
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Abstract. We investigate the link between the nonlinearity of a Boolean 
function and its propagation characteristics. We prove that highly nonlin- 
ear functions usually have good propagation properties regarding differ- 
ent criteria. Conversely, any Boolean function satisfying the propagation 
criterion with respect to a linear subspace of codimension 1 or 2 has a 
high nonlinearity. We also point out that most highly nonlinear functions 
with a three-valued Walsh spectrum can be transformed into 1-resilient 
functions. 



1 Introduction 

The design of conventional cryptographic systems relies on two fundamental 
principles introduced by Shannon [25]: confusion and diffusion. Confusion aims 
at concealing any algebraic structure in the system. Diffusion consists in spread- 
ing out the influence of a minor modification of the input data over all out- 
puts. Most conventional primitives are concerned with these essential principles: 
secret-key ciphers (block ciphers and stream ciphers) as well as hash functions. 
Confusion and diffusion can be quantified by some properties of the Boolean 
functions describing the system. Confusion corresponds to the nonlinearity of 
the involved functions, z.e., to their Hamming distances to the set of affine func- 
tions. Diffusion is related to the propagation characteristics of the considered 
Boolean function /: these properties describe the behaviors of the derivatives 
X f{x -I- a) -I- f{x). The relevant cryptographic quantities are the biases of 
the output probability distributions of the derivatives relatively to the uniform 
distribution; they are measured by the auto-correlation coefficients of the func- 
tion. Diffusion is therefore estimated by complementary indicators: propagation 
criterion, distance to the set of all Boolean functions with a linear structure and 
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sum-of-squares indicator. All these quantities will be here considered in a unified 
approach. 

A major link between diffusion and confusion criteria was pointed out by 
Meier and Staffelbach [18]. They proved that maximal nonlinearity and perfect 
propagation characteristics are equivalent requirements for Boolean functions 
with an even number of variables. Unfortunately those functions which achieve 
perfect diffusion and perfect confusion (called bent functions) are not balanced; 
that means that they do not have a uniform output distribution. The construc- 
tion of balanced Boolean functions having a high nonlinearity and good prop- 
agation characteristics then remains an open problem although such functions 
are essential components of cryptographic primitives. 

In this paper we further investigate the link between diffusion and confusion 
criteria for Boolean functions. We show that highly nonlinear functions usually 
coincide with the functions having remarkable propagation characteristics. In 
this context, we point out the major role played by the highly nonlinear func- 
tions whose Walsh spectrum takes three values. We exhibit general constructions 
of such functions and we prove that they can easily be transformed into balanced 
first-order correlation-immune functions. They are therefore well-suited combin- 
ing functions for pseudo-random generators since they ensure a high resistance 
to fast correlation attacks. 

2 Cryptographic Criteria for Boolean Functions 

A Boolean function with n variables is a function from the set of n-bit vectors, 
F 2 , into F 2 . Such a function / can be expressed as a unique polynomial in 
x\, ... ,Xn called its algebraic normal form (see e.g. [14]). Some cryptographic 
applications require that this polynomial has a high degree. For instance, when 
/ is used as a combining function in a pseudo-random generator, its degree 
conditions the linear complexity of the produced running-key. The following 
notation will be intensively used in the paper. The usual dot product between 
two vectors x and y is denoted hy x ■ y. For any a G F 2 , 4>a is the linear 
function with n variables defined by 4>a{xi, . . . , x„) = a ■ x = The 

Walsh transform of a Boolean function / refers to the Fourier transform of the 
corresponding sign function x 1 — > (— l)-^*-^). In this context we denote by iF{f) 
the value in 0 of the Walsh transform of /: 

Hf)= E (-l)^(-) = 2" - 2u;t(/) 

where wt{f) is the Hamming weight of /, z.e., the number of x € F 2 such that 
fix) = 1. 

The Walsh spectrum of a Boolean function / with n variables therefore con- 
sists of all values {iF{f + (j)a),Oi G F 2 }. Since linear attacks on blocks ciphers 
and correlation attacks on stream ciphers equally search for a linear or an affine 
approximation of the involved function, the signs of the Walsh coefficients have 
no cryptographic relevance. We then often consider the set {lF(f + f)a + s), a G 
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F 2 ,£ G F 2 }. The values of this spectrum, called the extended Walsh spectrum, 
are symmetric with respect to 0 since 1F(/ + + 1) = —T{f + (pa)- 

We now recall the main cryptographic criteria for Boolean functions and we 
express all of them in terms of Walsh spectrum. A first obvious requirement in 
most applications is that the output of the used Boolean function be uniformly 
distributed. This corresponds to balancedness: 

Definition 1. A Boolean function f is balanced if iF{f) = 0. 

A second usual criterion is that / should be far from all affine functions 
(regarding Hamming distance). In stream ciphers applications, when / is used 
in a pseudo-random generator as a combining function or as a filtering function, 
the existence of a “good” approximation of / by an affine function makes fast 
correlation attacks feasible [17,13,12]. Similarly, if / is used in a block cipher as 
an S-box component, this would lead to successful linear attacks [15]. 

Definition 2. The nonlinearity of a Boolean function f with n variables is its 
Hamming distance to the set of affine functions. It can be expressed as 

= 2”"^ - ^>C(/) where £(/) = max \T{f (pa)\ ■ 
l aeF^ 

Any Boolean function / with n variables satisfies C{f) > 2”/^; the functions for 
which equality holds are called bent functions [23]. This lower bound can only 
be achieved for even values of n. When n is odd, the lowest achievable value 
of C{f) is unknown in the general case: there always exist some functions with 
C{f) = and this value corresponds to the minimum possible nonlinearity 

for any n < 7. On the other hand some functions with £(/) = are 

known for any odd n > 15 [20,21] . From now on, we will focus on highly nonlinear 
Boolean functions in the following sense: 

Definition 3. Let f be a Boolean function with n variables. Then f is said to 
be almost optimal if C{f) < 2^”+^^/^ when n is odd, and C{f) < 2^”+^)/^ when 
n is even. 

Besides its maximum value, the whole Walsh spectrum of a Boolean func- 
tion has a great cryptographic significance. When / is used in a combining 
pseudo-random generator, the distribution probability of its output should be 
unaltered when any t of its inputs are fixed [27]. This property, called t-th order 
correlation-immunity [26] , is characterized by the set of zero values in the Walsh 
spectrum [29]: 

Definition 4. Let f be a Boolean function with n variables. 

— f is correlation-immune with respect to a subset E of F 2 if iF{f + (pa) = 0 
for all a G E. 

— f is t-th order correlation-immune (t-CI) if it is correlation-immune with 
respect to {x G F 2 , 1 < wt{x) < t\, where wt{x) denotes the Hamming 
weight of the n-bit vector x, i.e., the number of its nonzero components. 
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Balanced t-th order correlation-immune functions are called i-resilient functions. 

These criteria may not be compatible in general: there are necessary tradeoffs 
between the degree, the nonlinearity and the correlation-immunity order of a 
function. 

Some other criteria consider the probability distribution of the output differ- 
ence of the Boolean function for a fixed input difference. They then focus on the 
properties of the functions Daf : x ^ f{x -I- a) -I- f{x) for a G Flf. The function 
Daf is called the derivative of f with respect to direction a. The auto-correlation 
function of f refers to the function a i— > T{Daf). The auto-correlation coeffi- 
cient T{Daf) then measures the statistical bias of the output distribution of 
Daf relatively to the uniform distribution. The propagation characteristics of a 
Boolean function can then be estimated by several indicators. Some applications 
require that the output difference of a function be uniformly distributed for low- 
weight input differences. This property, referred as propagation criterion [22], is 
notably important when the function is used in a hash function or in a block 
cipher. 

Definition 5. Let f be a Boolean function with n variables. 

— f satisfies the propagation criterion with respect to a subset E of Ff if 
E{Daf) = 0 for all aGE. 

— f satisfies the propagation criterion of degree k (PC(fc)) if it satisfies the 
propagation criterion with respect to {x G F 2 , 1 < wt{x) < fc}. 

The strict avalanche criterion (SAC) [28] actually corresponds to the propagation 
criterion of degree 1. It is also recommended that the output distribution of all 
derivatives be close to the uniform distribution: the existence of a derivative 
whose output takes a constant value with a high probability leads to differential 
attacks [3,2]. This means that \!F{Daf)\ should be small for all nonzero a G F^. 
Recall that the linear space of / is the subspace of those a such that Daf is 
a constant function. Such a yf 0 is said to be a linear structure for /. The 
maximum value \E{Daf)\ over all nonzero a, called the absolute indicator [30], 
then quantifies the distance of / to the set of all Boolean functions with a linear 
structure [18]. The only functions whose absolute indicator equals 0 are the bent 
functions. 

The output distributions of the derivatives can also be studied in average 
through the second moment of the auto-correlation coefficients, called the sum- 
of-squares indicator [30]: 

Definition 6. The sum-of-squares indicator of a Boolean function f with n vari- 
ables, denoted by V(/), is defined by 

V(/) = E ^^(Daf) . 

aeFJ 



The above presented criteria are invariant under certain transformations. 
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Proposition 1. The degree, the extended Walsh spectrum (and the nonlinear- 
ity), the absolute indicator and the sum-of-squares indicator are invariant under 
addition of an affine function. 

The invariance of the propagation characteristics is derived from T{Da{f + 
(fp)) = (— l)“'^iF(_Dc/) for any a and (3 in F 2 . Most notably, this proposition 
implies that if there exists a G Flf such that iF{f (pa) = 0, then f (pa is a, 
balanced function having the same degree, extended Walsh spectrum, absolute 
indicator and sum-of-squares indicator as /. 

Proposition 2. The weight, the degree, the Walsh spectrum ( and the nonlinear- 
ity), the absolute indicator and the sum-of-squares indicator are invariant under 
right composition by a linear permutation of Ft). 

Both of these types of transformations change neither the size nor the rank of the 
sets Eciif) = {a G F^, E{f+(Pa) = 0} and Epc{f) = {a G Flf, E(Daf) = 0}. 
The first-order correlation immunity and the propagation criterion of degree 1 
can therefore be studied up to the previous equivalences: 

Proposition 3. Let f be a Boolean function with n variables. IfEci(f) (resp., 
Epc{f)) has rank n, then there exists a linear permutation it 0/ F 2 such that 
the Boolean function f o n is first-order correlation-immune (resp., satisfies the 
propagation criterion of degree 1). 

The rest of the paper is organized as follows. We observe in Section 3 that 
the nonlinearity of a Boolean function provides an upper bound on its sum-of- 
squares indicator. Moreover, we completely characterize the functions achieving 
this bound: their extended Walsh spectra take at most 3 values. In Section 4 
we derive a lower bound on the number of zero auto-correlation coefficients of a 
function from its nonlinearity. Section 5 is devoted to the nonlinearity of Boolean 
functions with a linear structure. We essentially show that these functions are 
not almost optimal when the dimensions of their linear spaces exceed 1 for odd n, 
and 2 for even n. Conversely, Section 6 focuses on the functions which satisfy 
the propagation criterion with respect to a linear subspace of codimension 1 
or 2. We prove that these functions are almost optimal and that they have a 
three- valued extended Walsh spectrum when n is odd. For even n we obtain new 
characterizations of bent functions. In the last section we study the correlation- 
immunity order of Boolean functions with a three- valued Walsh spectrum. Such 
functions are 1-resilient (up to a linear permutation) unless n is odd and they 
satisfy PC(n — 1). We deduce that for any odd n and any degree d < {n -\- 
l)/2, there exist 1-resilient functions of degree d, with n variables, and with 
nonlinearity 2”“^ — 

3 Relation between the Snm-of-Sqnares Indicator and 
the Walsh Spectrnm 

The auto-correlation coefficients of a Boolean function are related to its Walsh 
spectrum through the following formulas. Proofs of these results can notably be 
found in [5] and [30] . 




512 



Anne Canteaut et al. 



Lemma 1. Let f be a Boolean function with n variables. For any a € F 2 , 

/3eFj 

Lemma 2. Let f be a Boolean function with n variables. Then 

rHf + M = 2^v{f) . 

aeFJ 

We now point out that the nonlinearity of a function obviously provides an upper 
bound on its sum-of-squares indicator, V(/). Moreover, some further information 
on the Walsh spectrum of a function can be derived from the value of V(/). The 
following result was proved independently in [32, Theorem 5]. We give here a 
much simpler proof. 

Theorem 1. Let f be a Boolean function with n variables and let L{f) = 
maxcgFj \d^{f + 4>a)\- Then we have 

V(/) < 2"£(/)2 

with equality if and only if the extended Walsh spectrum of f takes at most three 
values, 0, C{f) and —C{f). 

Proof: Let us consider the following quantity 

I{f)= Y. T\f + f>^)[T\f + f>^)-C{ff] . 

aeFJ 

By Parseval’s relation we have X^aeF” + ^a) = 2^”. It then follows from 
Lemma 2 that T{f) = 2”(V(/) — 2”£(/)^). By definition T{f) consists of a sum 
of terms Tq, a G F 2 , which satisfy Tq < 0 if and only if \iF{f + (j)a)\ < T{f). 
Since \iF{f + 4>a)\ <>C(/) for any a, all terms Tq in I(/) are non positive, and 
thus T{f) < 0. The equality holds if and only if all terms Ta in I(/) vanish. 
This only occurs if |1F(/ + (/)„)[ G {0,£(/)} for all a. □ 

Following Definition 3, the sum-of-squares indicator of an almost optimal 
function / with n variables then satisfies V(/) < 2^”+^ if n is odd, and V(/) < 

22n+2 jg 

Example 1. We consider the following function of degree 5 with 7 variables: 

f{x\ ,... ,Xr) = XiX^X^XaX^ + XlX 3 X^ + X\X 2 + X^Xa + X 5 Xq . 

This function is almost optimal and its extended Walsh spectrum takes exactly 
5 values, 0, ±8, ±16. Let Ai denote the number of a such that \iF{f + (pa)] = *• 
We have Aq = 40, As = 32 and Aiq = 56. It follows that V(/) = 29696 < 2^®. 

This function / can be added to a bent function with (n — 7) variables for any 
odd n > 7. This provides an almost optimal function g with n variables whose 
extended Walsh spectrum takes the following 5 values: Q, ±2^"“^^/^, ±2^”+^^/^. 
Moreover, we have Aq = 5 • 2”“^ , A 2 (n-i )/2 = 2”“^ and A 2 (n+i )/2 = 7 • 2”“^; 
thus V{g) = 22"+i - 3 • 22"-4. 




Propagation Characteristics and Correlation-Immunity 513 



The functions whose extended Walsh spectra take at most three values are 
very specific since their extended Walsh spectrum is completely determined by 
their nonlinearity. In this case the values of the Walsh transform belong to 
0,±£(/). 

Theorem 2. Let f he a Boolean function with n variables. Assume that the 
extended Walsh spectrum of f takes at most three values, 0 and ±£(/). Then 
C{f) = 2* with i > n/2 and 

92 n 

#{« G F^, \Hf + M\= £(/)} = ^ ; 

on( f( f\2 _ pn'i 

#{« G F^, \J^{f + </,„)! = 0} = = 2” - ■ 

Moreover, the degree of f is less than or equal to n — i + 1. 

Proof: Since !F^{f+(f>a) lies in {0, £(/)^} for all a G F^ , we have from Parseval’s 
relation 

^ ^^{f + cj,^)=C{ffAcu)=2^^ 

aeFJ 

where Ac(f) = #{a G F^ , \lT{f + 4>a)\ = >C(/)}. It follows that C{f) = 2b Since 
^C(f) < 2”, we deduce that i > n/2. The upper-bound on the degree of / comes 
from the divisibility of the Walsh coefficients [6, Lemma 3] . □ 

Note that any Boolean function of degree 2 satisfies the hypotheses of the pre- 
vious theorem [14, p. 441]. Theorem 2 now implies that the only almost opti- 
mal functions having a three- valued extended Walsh spectrum satisfy C{f) = 
2 ("+i )/2 when n is odd and C{f) = when n is even (bent functions have 

a two- valued extended Walsh spectrum) . 

4 Propagation Criterion on Highly Nonlinear Functions 

We have pointed out that the nonlinearity of a Boolean function provides an 
upper bound on its sum-of-squares indicator, i.e., on the second moment of the 
auto-correlation coefficients. We now show that it also gives a lower bound on 
the number of zero auto-correlation coefficients. 

Proposition 4. Let f he a Boolean function of degree d with n variables and 
let Epcif) = {a G F^, HDo^f) = 0}. Then 

\Epcif)\ > 2" - 1 - (£(/)2 _ 2 ") . 

Proof: Since any derivative Daf of / is a function of degree {d— 1) with a linear 
structure, if (Daf) is divisible by 2^3^^+^ [16]. We then deduce 

V(/)= ^ E^D^f)=2^'-+ Y. 

a^Epcif) a(Epcif),a^0 

> 22" + (2" - 1 - |t;pc(/)1)2^L3G^J+^ 
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We know from Theorem 1 that V(/) < 2”£(/). We therefore deduce the expected 
result. □ 

This bound is essentially relevant for functions having a high nonlinearity and 
a low degree. For instance we deduce that almost optimal functions of degree 3 
satisfy \Epc{f)\ > 2”“^ — 1 when n is even and \Epc{f)\ > 2”“^ — 1 when n is 
odd. 

Corollary 1. Let n be an odd integer. Let f be an almost optimal function of 
degree 3 with n variables. Then there exists a permutation tt 0 /F 2 such that fon 
satisfies PC( 1 ) unless there exists an affine subspace H of F 2 of codimension 1 
such that T^{Daf) = 2”+^ for any a G H. 

Proof: It follows from Proposition 3 that / can be transformed into a function 
satisfying PC(1) if Epc{f) has rank n. Since the previous theorem implies that 
\Epc{f) U {0}| > 2”“^, Epcif) has full rank except if Epc{f) U {0} is an 
hyperplane of F 2 , i.e., a linear subspace of codimension 1. In this case, the lower 
bound on the size of Epc{f) is achieved. It is clear from the proof of the previous 
theorem that this occurs if and only if V(/) = 2^”+^ and T^{Daf) = 2”+^ for 
any nonzero F 2 \ Epc{f). □ 

This corollary therefore provides a fast algorithm for obtaining almost optimal 
functions of degree 3 which satisfy PC(1) when the number of variables is odd. 



5 Walsh Spectrum of Boolean Functions with a Linear 
Structure 



Theorem 1 also enables us to characterize almost optimal functions which have 
a linear structure. 



Theorem 3. Let f be a Boolean function with n variables. Assume that f has 
a linear space V of dimension k>l. Then 



C{f)>2- 



with equality if and only if f satisfies the propagation criterion with respect to 
Fif\V. 

In this case, k and n have the same parity and f has a three-valued extended 
Walsh spectrum. 

Proof: If / has a linear space of dimension k, the sum-of-squares indicator 
satisfies 



V(/) = 2^"+'= + T^{Daf) > 2^"+'= . 

a^V 



Thus C{f) > 2 !”+^)/^ according to Theorem 1 with equality if and only / has a 
three-valued extended Walsh spectrum and C{f) = 2^”+^)/^. This implies that 
n and k have the same parity. □ 
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Corollary 2. Let n be an odd integer and let f he a Boolean function with 
n variables. The following assertions are equivalent: 

(i) / is almost optimal and it has a linear structure. 

(ii) there exists a linear permutation tt ofFlf such that fon satisfies PC(n — 2). 
(ill) there exists a linear permutation it ofFlf such that fon satisfies PC(n-l). 

Proof: Carlet [7, Prop. 1] proved that the second and third assertions are equiv- 
alent. Moreover, any function satisfying PC(n — 1) has a linear structure e and 
all its derivatives with respect to direction a {0, e} are balanced. The previous 
theorem then proves the equivalence with the first assertion. □ 

The extended Walsh spectrum of an almost optimal function which has a 
linear structure is then completely determined unless the number of variables 
is even and the linear space has dimension 1. We now give an example of this 
situation: 

Example 2. Let fi and /2 be the following almost optimal functions with 8 vari- 
ables: 



fl{xi, . . . , Xs) = X1X2X3X4X5 + X1X3X7 + X1X2 + X3X4 + X3XQ + Xs , 
f2{xi, . . . ,Xs) = X1X3X4XG + X4XQX7 + X1X2 + X3X4 + X3XQ + Xs . 

Both of these functions have a linear space of dimension 1 . From Example 1 we 
know that fi has a 5- valued extended Walsh spectrum and V(/i) = 2^”+^ — 
3 • 2^”“^. On the other hand /2 has a 3-valued extended Walsh spectrum and 
satisfies V(/ 2 ) = 2^”“^. 

6 Functions Satisfying the Propagation Criterion with 
Respect to a Linear Subspace 

The previous 3 sections have shown that almost optimal functions generally have 
good propagation characteristics regarding all indicators. We now conversely fo- 
cus on the Walsh spectra of the Boolean functions / which have the following 
remarkable propagation property: / satisfies the propagation criterion with re- 
spect to any nonzero element of a linear subspace of FJ of codimension 1 or 2. 

Proposition 5. Let V he a linear subspace 0 /F 2 of dimension k. Let V-^ denote 
its dual, i.e., V-^ = {a; G F 2 , x ■ y = 0 for all y G V}. For any Boolean function 
f with n variables, we have 

+ = Y. HDpf) . 

a&V 

Proof: We deduce from Lemma 1: 

^ E^if+cj,^) = E E 

aev aev / 3 gfj 

/3eFj Vaev / /3ev^ 
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since ^ equals 2^ if /3 G V-^ and it equals 0 otherwise. □ 

We first consider the case where a function / with n variables satisfies the 
propagation criterion with respect to any /3 yf 0 belonging to an hyperplane. We 
will use the following well-known lemma due to Jacobi (see [8, Ch. VI]): 

Lemma 3. Let n be an integer, n > 2, and let X and Y be two even integers. 
Then the condition X'^ +Y'^ = 2”+^ implies 

— if n is even, then = 2” ; 

— if n is odd, then X"^ = 2”+^ and V = 0 - or vice-versa. 

For odd values of n, the functions with n variables having balanced deriva- 
tives Dfjf for every nonzero (3 in an hyperplane can be characterized as follows: 



Theorem 4. Let n be an odd integer, n > 2, and f be a Boolean function with 
n variables. Then the following properties are equivalent. 

(i) There is an hyperplane H C F 2 such that f satisfies the propagation crite- 
rion with respect to H \ {0}. 

(ii) / has a three-valued extended Walsh spectrum, C{f) equals and 

there is some a G FJ such that 

v / jgf ^, :F\f + cj,^) ^ X\f + . 

(iii) There is a linear permutation tt of F 2 such that f o . . . , x„) = (1 -I- 
Xn)g + Xnh where both g and h are bent functions with (n — 1) variables. 

Proof: (i) ^ (ii) . Let a G F 2 be such that H = {x € F 2 ,a • a; = 0}. 

Proposition 5 gives for any (3 & H 

•^"(/ + </'/?) + -^"(/ + (t>P+a) = 2 ^ T{D^{f + f>p)) . 

aGH 



Since Da{f + (j)^) = Da{f) + a • /?, we have 

•^"(/ + </-/3) + ^"(/ + f^p+a) = 2 ^ {-ir^XiD^f) = 2X{Dof) = 2"+i . 

aGH 

From Lemma 3, we deduce that, for any (3 G H, !F‘^{f + (p/s) = 2”+^ and iF^{f + 
4>a+a) = 0, or vice-versa. It then follows that, for any (3 G F, , T(f -\-d)g) belongs 

to {o' ±2(G.)/.( .„d that :f»(/ + 0,) :f»(/ + 4 "). 

(ii) ^ (iii). Let (ei, . . . , e„) denote the canonical basis of FJ . Let tt be a linear 
permutation of F 2 such that 7r“^(a) = e„. Assertion (ii) gives for any (3 G F 2 , 

T‘^{f OTT+(j)p)+ X'^{f OTT + (pp+ej = 2"+^ . (1) 

For any [3 in the hyperplane spanned by ei, . . . , e„_i, pp does not depend on a;„. 
We then have pp{xi , . . . , x„) = p{x \, . . . , Xn-i) where p describes the set of all 
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linear functions with (n — 1) variables when (3 varies. Using the decomposition 
/ o 7r(a;i, . . . , x„) = (1 -I- Xn)g + Xnh, we obtain 

J^{f o 7T -I- (j)/}) = J^{g + (j>) + T{h + 4>) and 
T{f O 7T -h ) = J^{g + </*)- T{h+(t)) . 

Equation (1) now gives 

T\g + (/.)+ T\h + </-)= i (^"(/ o 7T + (/.^) + O 7T + (/.0+eJ) = 2" . 

We deduce from Lemma 3 that, for any linear function (j), both J^^{g + 4>) and 
T^{h + 4>) equal 2”“^, and thus that g and h are bent. 

(iii) ^ (i). Let H' be the hyperplane spanned by ei, . . . , e„_i. For any a G H' , 
Da{f o 7 t) can be decomposed as 

Daif O 7r)(a;i, . . . , X„) = (1 -I- Xn)Dag{xi, , Xn-l) + XnDah{xi, ... , Xn-l) ■ 

If g and h are bent, the derivatives Dag and Dah are balanced for any a G H' , 
a yf 0. It follows that Da{f o tt) is balanced and thus Daf is balanced for any 
nonzero a in Tr(iL'). □ 

Remark 1. Assertion (iii) can actually be generalized. For any vector a G F 2 , 
the restrictions of a Boolean function with n variables to Ha = {a; G F 2 , a - x = 
0} and to its complementary set can be identified with Boolean functions with 
(n — 1) variables. Moreover, a ^ Ha if and only if on is odd. In this case, 
F 2 is the direct sum of Ha and H^. Exactly as in the previous theorem, we can 
prove that if / satisfies (i) then for any a G F 2 such that Y^=i o^i is odd, there 
exists a linear permutation tt of F 2 such that both restrictions of / to Ha and 
to its complementary set are bent. 

When the number of variables is even, we obtain a similar result which pro- 
vides new characterizations of bent functions. The detailed proof, which relies 
on the same arguments as the previous one, can be found in [4]. 

Theorem 5. Let n be an even integer, n > 2, and f be a Boolean function with 
n variables. Then the following properties are equivalent. 

(i) There is an hyperplane H C F 2 such that f satisfies the propagation crite- 
rion with respect to H \ {0}. 

(ii) For any hyperplane H C F 2 , / satisfies the propagation criterion with re- 
spect to H \ {0}. 

(iii) / is bent. 

(iv) f{xi , . . . , Xn) = (1 + Xn)g + Xnh where both g and h are almost optimal 
functions with (n — 1) variables having a three-valued extended Walsh spec- 
trum and, for any linear function (f with {n — 1) variables, we have 

T\g + 4,)^T\h + 4,) . 
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As pointed out in the remark following Theorem 4, Property (iv) also holds 
if we consider the decomposition of a bent function with respect to any vector 
a such that X^r=i Note that this theorem is of interest for effective 

purposes: for checking that a function / is bent it is sufficient to compute the 
T{Daf) for a in some hyperplane. 

Similar techniques provide the following result for functions satisfying the 
propagation criterion with respect to a linear subspace of codimension 2. 

Theorem 6. Let f be a Boolean function with n variables, n > 2. Assume that 
there exists a linear subspace V C F2 of codimension 2 such that f satisfies the 
propagation criterion with respect to V \ {0}. 

— Ifnis odd, then f is an almost optimal function with a three-valued extended 
Walsh spectrum and there is a linear permutation tt of F2 such that 

f o , x„) = (1 + + Xn)goo + Xn-i{l + a:„)5io 

+ (1 + Xn-l)Xngoi + Xn-lXngil 

where all gij are almost optimal functions with {n — 2) variables having a 
three-valued extended Walsh spectrum. 

— If n is even, then f is either bent or it satisfies C{f) = 2^”+^)/^ and its 
Walsh coefficients belong to {0, ±2”/^, ±2^”+^)/^}. Moreover, there is a linear 
permutation tt of F2 such that 

f o , x„) = (1 + + Xn)goo + + a;„)5io 

+ (1 + Xn-l)Xngoi + Xn-lXngil 

where the Walsh coefficients of all gij belong to {0, ±2^”“^^/^, ±2”/^}. 

Converses are not valid in Theorem 6: for odd n, there exist some functions 
which are not almost optimal and whose restrictions are almost optimal and 
have a three- valued extended Walsh spectrum. Moreover, the set of all functions 
satisfying the propagation criterion with respect to a subspace of codimension 2 
does not contain all almost optimal functions with a three- valued extended Walsh 
spectrum. 

Example 3. Let f{x \, . . . , X7) = xiX 2 X^Xi-\-xix^xzXQ-\-xiX 2 X^-\-xix^XT-\-xiX 2 -\- 
x^Xj^ -\- x^xq. This almost optimal function has a three-valued extended Walsh 
spectrum but the set {a € Fl,T{Daf) = 0} U {0} does not contain any linear 
space of dimension 5. 

Theorems 4 and 6 can be used for generalizing some results given in [31]: any 
Boolean function with an odd number of variables which has at most 7 nonzero 
auto-correlation coefficients is almost optimal and it has a three- valued extended 
Walsh spectrum. This result does not hold anymore when / has 8 nonzero auto- 
correlation coefficients: 
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Example 4- For any odd n > 5, the function 

f{xi, . . . ,Xn) = X 2 XzXiX 5 + XiXiXz + X^X^ + X 2 Xi + g{xQ, . . . ,Xn) (2) 

where g is any bent function with (n— 5) variables, is such that {aG F2 , T{Daf) yf 
0} = Span{ei, 62 , € 3 ). This function satisfies C{f) = 2^”+^F2 j^g extended 
Walsh spectrum has exactly 5 values, 0, j_2("+i)/2^ Moreover, its sum- 

of-squares indicator is V(/) = 2^™“^ [1]. Since the bent function g can take 
any degree less than or equal to (n — 5) /2, the function defined in (2) can be 
obtained for any degree d, 4 < d < (n — 5)/2. Other almost optimal functions 
whose extended Walsh spectra have more than 3 values can be found in [10,11]. 

7 Correlation-Immunity of Boolean Functions with a 
Three- Valued Extended Walsh Spectrum 

We now show that most functions with a three- valued extended Walsh spectrum 
can be easily transformed into a 1-resilient function, i.e. into a function which 
is balanced and first-order correlation-immune. Since the values of the extended 
Walsh spectrum are symmetric with respect to 0, if the extended Walsh spectrum 
of a function has exactly three values, then one of these values is 0. Such a 
function can therefore be transformed (by addition of a linear function) into a 
balanced function which have the same extended Walsh spectrum. 

Theorem 7. Let f be balanced Boolean function with n variables. Assume that 
its extended Walsh spectrum takes three values. Then there exists a linear per- 
mutation of F2 such that f o n is Tresilient if and only if there is no linear 
permutation tt' of F2 such that / o tt' satisfies PC(n — 1). 

Proof: Recall that Proposition 3 asserts that / can be transformed into a 1- 
resilient function if and only if Eci{f) has rank n. We know from Theorem 2 
that C{f) = 2® for some i > nl2 and that the number of zero Walsh coefficients 
of / is \Eci{f)\ = 2” — 2^”“^b Since / is balanced, it can not be bent and 
thus i > (n l)/2. It follows that \Eci{f)\ > 2”“^ with equality if and only 
if z = (n -I- l)/2. We obviously deduce that Eci{f) has full rank when £(/) > 
2 ("+i)/ 2, Let us now assume that n is odd and C{f) = 2^”+^F2^ yLe only case 
where Eci{f) does not have full rank is when it is an hyperplane of F2 . Let 
{0, a} = Eci(f)'^. Proposition 5 applied to Eci{f) leads to 

0 = E = 2"”' inDof) + nOaf)) = 2"-'(2" + E{DJ)) . 

aeEciif) 

Thus T{Daf) = —2”; / is then an almost optimal function which has a linear 
structure. From Corollary 2 we deduce that / can be transformed into a function 
satisfying PC(rz — 1). 

Conversely, if there is a linear permutation tt such / o tt satisfies PC(rz — 1) 
then £(/) = 2^”+^F2 ^nd / has a linear structure a. We now apply Proposition 5 
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to H = {0, a}-*-: 

^ + </-a) = 2"-i(2" + T{Daf)) = 0 or 2^" . 

aGH 

Since by hypothesis / o tt is balanced, we have that 

^ + (/.„) < £(/)"(2"-i - 1) < 2^" . 

aGH 

Thus X^aeif + 4>a) = 0. It follows that 1F(/ + (pa) = 0 for all a G H. Since 
\Eci{f)\ = 2"“^, we deduce that Eci{f) = H and thus it has rank n — 1. □ 

For any odd n, 1-resilient functions with n variables having nonlinearity 2”“^ — 
2 ("-i )/2 can then be easily constructed. According to Theorem 5 it is sufficient 
to consider the restriction of a bent function with (n + 1) variables to any hy- 
perplane {x G a ■ a;} where Yll=i is odd. We then only have to check 

that this function has no linear structure and we transform it by addition of an 
appropriate linear function and by composition with a linear permutation. 

Corollary 3. Let n be an odd integer. For any integer d,2 < d < (n-l-1) /2, there 
exists a 1-resilient function with n variables having degree d and nonlinearity 

2^—1 ‘2{n—l)/2 

Proof: We consider the following bent function with {n -\- 1) variables which 
belongs to the Maiorana-McFarland class [9]: 

y{x,y) G X FX“ , f(x,y) =x- n{y) h{y) 

where h is any Boolean function with (n-|-l) /2 variables and tt is the permutation 

n+l 

of FX~ identified with the power function x ^ x^ over F^ . We choose for 

example s = 2^ t with fc < (n -I- l)/2 and 2 gcd(f^^+i)/ 2 ) or s = 7 when 
(n -I- 1) is power of 2. Let g be the restriction of / to the hyperplane {x G 
Fy^,a;i = 0}. The restriction of / has no linear structure when all derivatives 
of / have degree at least 2. Here we have for any (a, /3), 

D(a,/ 3 )f{x, y) = a ■ Tr{y -G (3) -G X ■ (7r(y -G (3) -G 7r(y)) -k £>/ 35 (y) . 

Our choice for permutation tt implies that the degree of D(^a,( 3 )f is at least 2 
when {a, (3) yf (0,0) (see e.g. [19]). It follows that g has no linear structure; it 
can therefore be transformed into a 1-resilient almost optimal function. Since 
there is no restriction on h, h can be chosen of any degree less than or equal to 
(n -G l)/2. Thus g can take any degree d, 4 < d < {n -G l)/2. Note that such 
almost optimal functions of degree 2 and 3 can easily be constructed from the 
functions with 5 variables given in [1]. □ 

Note that Sarkar and Maitra [24] provide a construction method for 1-resilient 
functions with n variables having nonlinearity 2”“^ — 2^”“^^/^ and degree (n-2), 
for any odd n > 5. 
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Abstract. This paper proposes a fast parallel Montgomery multipli- 
cation algorithm based on Residue Number Systems (RNS). It is easy 
to construct a fast modular exponentiation by applying the algorithm 
repeatedly. To realize an efficient RNS Montgomery multiplication, the 
main contribution of this paper is to provide a new RNS base extension 
algorithm. Cox-Rower Architecture described in this paper is a hardware 
suitable for the RNS Montgomery multiplication. In this architecture, a 
base extension algorithm is executed in parallel by plural Rower units 
controlled by a Cox unit. Each Rower unit is a single-precision modular 
multiplier-and-accumulator, whereas Cox unit is typically a 7 bit adder. 
Although the main body of the algorithm processes numbers in an RNS 
form, efficient procedures to transform RNS to or from a radix repre- 
sentation are also provided. The exponentiation algorithm can, thus, be 
adapted to an existing standard radix interface of RSA cryptosystem. 



1 Introduction 

Many researchers have been working on how to implement public key cryptogra- 
phy faster. A fast modular multiplication for large integers is of special interest 
because it gives a basis for a fast modular exponentiation which is used for 
many cryptosystems such as, RSA, Rabin, Diffie-Hellman and ElGmal. Recent 
improvement of factoring an integer leads to a recommendation that one should 
use a longer key size. So, even faster algorithms are required. A lot of work has 
been done with a view to realizing a fast computation in a radix representation. It 
might seem that in a radix representation, all the major performance improve- 
ments have been achieved. Nevertheless, use of the Residue Number Systems 
(RNS) appears to be a promising approach for achieving a breakthrough. 

RNS is a method of representing an integer with a set of its residues in 
terms of a given base which is a set of relatively prime moduli. A well-known 
advantage of RNS is that if addition, subtraction, or multiplication are to be 
done, the computation for each RNS element can be carried out independently. If 
n processing units perform the computation, the processing speed will be n times 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 523-538, 2000. 
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faster. So, RNS is studied with a view to its application in the areas where fast 
and parallel processing methods are required[l,2,3,4]. Digital signal processing is 
one such area. As for cryptographic applications, a paper by Quisquater, et al. [5] 
was the first report on the application of RNS to RSA cryptosystem [6]. With 
respect to RNS, however, it deals with a limited case since one cannot choose 
an arbitrary base, rather one has to choose secret keys p and q as the RNS base. 
Thus, it can be applied only to decryption. The disadvantages of RNS are that 
division and comparison are not efficiently implemented. Therefore, although 
RNS is considered to be a good candidate for a fast and parallel computation 
for public key cryptography, it was not until the early 90’s that RNS was shown 
to be really applicable for that purpose. 

To overcome the disadvantages of RNS, a novel approach to combine RNS 
with Montgomery multiplication was proposed. The idea behind this is that 
since Montgomery multiplication effectively avoids the division in a radix repre- 
sentation, it is expected to be effective for avoiding difficulties in implementing 
division in RNS as well. To the best of our knowledge, Posch, et al. are the first 
who invented an RNS Montgomery multiplication [7]. Other works [9] and [11] 
also discuss RNS Montgomery multiplications. These works deal with methods 
where RNS base can be chosen almost independently of secret keys p and q. So, 
these algorithms can be applied to RSA encryption as well as decryption. Note 
that Paillier’s algorithm in [11] is aimed at a special case where the base size is 
limited to 2. The latter two systems, [9] and [11], are partly based on a mixed 
radix representation. It seems to us that a fully parallel computation cannot be 
realized in this setting and thus the methods are slower. So far, Posch, et al.’s 
method seems the fastest for a parallel hardware and general parameters. 

According to three forerunners above, most of the processing time for RNS 
Montgomery multiplication is devoted to base extensions. A base extension is 
a procedure to transform a number represented in an RNS base into that in 
another base, the subset of which is the original base. So, the main contribution 
of this paper is to provide a new base extension algorithm. This results in a new 
RNS Montgomery multiplication algorithm which requires less hardware and is 
more sophisticated than Posch, et al.’s. It is easy to realize modular exponen- 
tiation algorithm by applying the RNS Montgomery multiplication repeatedly. 
In addition, it is important that the algorithm can be adapted to an existing 
standard RSA interface, i.e., usually, a radix representation. Therefore, another 
purpose of this paper is to provide efficient ways to transform RNS to or from a 
radix representation. 

This paper is organized as follows: Section 2 briefly describes basic notions 
such as an RNS representation, a Montgomery multiplication, and an RNS Mont- 
gomery multiplication. In section 3, a new base extension algorithm is proposed, 
which plays an important role in an RNS Montgomery multiplication. Section 
4 presents Cox-Rower Architecture and the RNS Montgomery multiplication 
algorithm, which is applied to construct an exponentiation algorithm. Trans- 
formations between RNS and a radix representation are shown as well. Section 
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5 deals with implementation issues such as parameter design and performance. 
Section 6 concludes the paper. 



2 Preliminaries 



2.1 Residue Number Systems 

Usually, a number is expressed in a radix representation. A radix 2’’ representa- 
tion of X is n-tuple (x(„_i), • • • , X(o)) which satisfies 

^(n— 1) \ 

^ ( 1 ) 

3^(1) 

3^(0) / 

where, 0 < X(i) < 2’’ — 1. 

Residue Number Systems (RNS) are also a method for representing a number. 
Let < X >a denote an RNS representation of x, then 

< X >a= (a;[ai],a;[a2],--- ,3;[a„]) 

where, x[aj\ = a; mod a,. The set a = { 01 , 02 ,- •• , o„} is called a base whose 
number of elements is called a base size. In this example, a base size is n. We 
require here that gcd(oi, aj) = 1 (if z yf j). 

According to the Chinese remainder theorem, x can be computed from < 
X >a as 



( 



where, A = nr=i = A/ai, and A“^[oi] is a multiplicative inverse of At 

modulo Oi. In Equation (2), the expression in the middle is a general form, 
whereas our base extension is based on the last one. 

In the following section, we use two different bases, a and b, to realize an RNS 
modular multiplication. They are assumed to satisfy gcd(A, R) = 1. A symbol 
m is sometimes used instead of a or 5 when the symbol can be replaced by either 
a or b. We also use a convention that < 2 >aub= (< x >a, < y >b) which means 
that 2 is a number that satisfies 2 = a;(modA), 2 = y(modR), and z < AB. 

The advantages of an RNS representation are that addition, subtraction, 
and multiplication are simply realized by modular addition, subtraction, and 
multiplication of each element: 



<x>a±<y>a = {{x[ai] ± y[ai])[ai],- ■ ■ , (a;[a„] ± y[a„])[a„]) 
< X >a ■ < y >a = ((3;[ai]y[ai])[ai], • • • , (a;[a„]y[a„])[a„]) . 



Since each element is independently computed, if n computation units run in 
parallel, this computation finishes within a time required for a single operation of 
the unit. The disadvantages of an RNS representation are that it is comparatively 
difficult to perform comparison and division [12]. 
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2.2 Montgomery Multiplication 

Montgomery’s modular multiplication method without division is a standard 
method in a radix representation to implement a public key cryptography which 
requires modular reduction [13]. The algorithm is presented in five steps below 
whose inputs are x, y, and N (x,y < N), and the output isw = xyR~^{ mod N), 
where w < 2N. 



1: s ^ xy 

2: t ^ s ■ {—N~^) mod R 
3: u ^ t ■ N 
4: u <— s + u 
5: w ^ V / R 

where, gcd(i?, N) = 1 and N < R. In step 2, t is computed so that u is a 
multiple of R. Actually, assume that u is a multiple of R, i.e., v mod R = 0, 
then (s + tN) mod R= 0. This equation is solved as t = — sN~^ {mod R), which 
is equivalent to the computation in step 2. R must be chosen so that steps 2 
and 5 are efficiently computed. It is usually chosen to be 2’s power in a radix 2 
representation. gcd(i?, N) = 1 ensures existence of N~^ mod R. Condition N < 
R is sufficient for w < 2N because w = {xy + tN)/R < {N‘^ + RN)/R = {N/R + 
1)N < 2N. Since wR = xy + tN, wR = xy (modfV) holds. By multiplying 
R~^ mod N on both sides, w = xyR~^{modN) is obtained. The Montgomery 
multiplication is also useful for avoiding inefficient divisions in RNS. 

2.3 Montgomery Multiplication in RNS 

To derive an RNS Montgomery multiplication algorithm, we introduce two RNS 
bases a and b, and translate 5 steps in the previous section into the RNS com- 
putation in base a U 6. It is assumed that A and B is chosen sufficiently large, so 
that all intermediate values are less than AB. Under this assumption, steps 1, 3, 
and 4 in the previous section is easily transformed into RNS form. For instance, 
step 1 will be performed by < s >au6=< x >aub ■ < y >aub- 

As for step 2, a constant R is set to B = Y\a=i Then, t can be computed 
simply by < t >b=< s >b< —N~^ >h. It is necessary, however, that < t >aub is 
derived from < t >b so that the computation in base a U 6 is continued. In this 
paper, such a procedure is called a base extension, where a number represented 
in either base a or base b is transformed into that in base a U 6. 

The remaining step is 5. Since u is a multiple of B, w is an integer which 
satisfies v = wB. So, if A is larger than w, w can be computed by < w >a=< 
V >a • < B~^ >a- Note that base b representation is unnecessary to realize step 
5 in RNS. In addition, base b representation in step 4 is always < v >b=< 0 >b, 
because u is a multiple of B. So, the computation in base b at steps 3 and 4 can 
be skipped as well. 

Figure 1 shows an overview of the RNS Montgomery multiplication algo- 
rithm. In this Figure, operations in base a and base b are shown separately. 
Each step corresponds to the step of the same number in the previous section. 
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Input: < X >a b,< y >a b, (where x, y < 2N) 

Output: < w >a b (where w = xyB~^ (modN), w < 2N) 



Base a Operation 


Base b Operation 


1: 


S X a ' y 


< s >b^< X >b ■ < y >b 


2a: 


— 


< t >b^< s >b ■ < >6 


2b: 


^ i b' 


<=< t >b 


3: 


< U >a^< t >a ■ < N >a 


— 


4: 


< V >a^< S >a + < U >a 


— 


5a: 


< W >a^< V>a ■ < B~^ >a 


— 


5b: 


< W >a = 


^<W>a b 



Fig. 1. Overview of the Montgomery Multiplication in RNS 



Almost the same procedure is provided by Posch, et al[7]. Note that the range 
of input is changed from less than N to less than 2N. The purpose of it is to 
make the range of input and output compatible with each other, so that it be- 
comes possible to construct a modular exponentiation algorithm by repeating 
the Montgomery multiplication. Base extension at step 5b is necessary for the 
same reason. 

If the two base-extension steps in Fig.l are error- free, we can specify the 
condition that A and B should satisfy for a given N. Condition that gcd(i?, N) = 
1 and gcd(A, B) = 1 is sufficient for the existence of N~^ mod B and B~^ mod 
A, respectively. 4N < B is also sufficient for w < 2N to hold when x,y < 2N. 
Actually, 



B B B \ B J - 

This equation also shows that condition 2N < A is sufficient for w < A and 
V < AB. Since v is the maximum intermediate value, all values are less than 
AB. In summary, the following four conditions are sufficient: 

- gcd(R,fV) = l, 

- gcd(A, B) = 1, 

- 4N < B, and 

- 2N < A. 

Since the base extension algorithm proposed later introduces approximations, 
the last two conditions will be modified in section 4.1 by Theorem 3. 

In Fig.l, if n processing units perform in parallel, the processing time is 
roughly estimated as the time for 5 single-precision modular multiplications plus 
two base extensions. Therefore the devising of a fast base extension algorithm is 
crucial for realizing a fast RNS Montgomery multiplication. 
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3 New Approach for Base Extension 

3.1 Reduction Factor k 

One might transform an RNS expression to another via a radix representation, 
i.e., < X >m^ X X >m' and thus, obtain < X >mUm'= (< x >m, < x >m>)- 
However, such a naive approach usually requires multi-precision integer arith- 
metic which it is preferable to avoid. Nevertheless, considering how to represent 
X with < X >m’s elements is a key approach in our work as well as in [7], [9], 
and [11]. From Equation (2), there exists a unique integer k that satisfies 

n 

X = 'y^{x[mi]M~^[mi] mod mi)Mi — kM. (3) 

i=l 

In this paper, k is called a reduction factor. Our objective here is to represent k 
with known variables. Let us define a value as 

= x[mi]M~^[mi] mod rm. 

Then, Equation (3) is simplified as 



n 

X = ^iMi — kM. 

i=l 



(4) 



Here unknown parameters are k and x. If both sides are divided by M, it follows 
that 



y^ = k+^. 






M' 



(5) 



Since 0 < x/M < I, k < Yl^=i ^ ^ 1 holds. Therefore, 



k = 



E 

. 2=1 



E 

rrii 



Here, 0 < k < n holds, because 0 < ^i/rm < 1. It is important that k is 
upperbounded by n. Due to this property our algorithm is simpler than Posch, 
et al.’s algorithm. 



3.2 Approximate Representation for Factor k 

In the previous section a close estimate for k is derived. It requires, however, 
division by base values which is in general not easy. To facilitate the computation, 
two approximations are introduced here: 

— a denominator rrii is replaced by 2’’, where 2’’“^ < m, < 2’’ 

— a numerator is approximated by its most significant q bits, where q < r 
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In this paper it is assumed that r is common to all base elements to realize 
modularity of hardware, whereas in general r may be different for each rm. 
With these approximations, k is given by 



k = 



E 

. 1^1 



trunc(^i) 



( 6 ) 



q (r-q) 

where, trunc(^i) = /\(1 . . . 1 and /\ means a bitwise AND operation. 

An offset value a is introduced to compensate errors caused by approximation. 
Suggested values of a will be derived later. Since division by 2’s power can be 
realized by virtually shifting the fixed point, the approximate value k is computed 
by addition alone. Further, k can be computed recursively bit by bit using the 
following equations with an initial value (Tq = a: 



(Ji = (Ji_i -I- trunc(^i)/2’', ki=[at\, - kt (for z = 1, • • • , n). (7) 

It is easy to show that the sequence ki satisfies k = X^r=i ^ !}■ 

To evaluate the effect of the approximation later, es’ and Ss’ are defined as 



erui = (2’' - nii)l2^, Smt = {^i ~ trunc(^i))/mi (8) 

— Alax(e77^^), Sm — Alax((577i^) (9) 

e = Max(ca, Ch), 6 = Ma,x{Sa,Sb). (10) 

e is due to a denominator’s approximation and 6 is related to a numerator’s. 



3.3 Recursive Base Extension Algorithm 

Integrating Equations (4), (6), and (7), a main formula for a base extension from 
base m to base m U m' is derived as 

+ kj{m[ - mod m' (for (11) 

Figure 2 shows the overall base extension procedure, where step 7 corresponds 
to Equation (11) and steps 2, 4, 5, and 6 to Equation (7). n processing units 
are assumed to run in parallel. Each unit is dedicated to some mi or and 
independently computes 

~ (cj-i + fj9j + dj) mod mi. 

Since the algorithm introduces approximation, the base extension algorithm 
does not always output a correct value. The following two theorems state how 
much error will occur under two different conditions. Refer to Appendix A for 
their proofs. 
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Input: < X >m\ m, m ■, a 

Output: < Z>m m'= (< X >m, < V >m') 

Precomputation: < M~^ >m, < Mi >^/ (for i), < —M >^/ 
1: ^i = x[mi] ■ M~^[mi] mod rm (for i) 

2: (70 = a, yifi = 0 (for i) 

3: For j = 1, - ■ ■ ,n, compute. 

4: (Tj = (jy_i) + trunc(Cj)/2'' 

5: kj = [aj\ /* Comment: kj £ {0, 1} */ 

6: — Oj — kj 

7: Vij = + ij ■ Mj[mi] + kj ■ {-M)[mi] (for i) 

8 : End for 

9: y[mi] = yi,n mod rtij (for i) 



Fig. 2. Base Extension Algorithm {BE) 



Theorem 1. // 0 < n{em + 5m) < a < 1 and 0 < a; < (1 — a)M, then k = k 
and the algorithm BE ( in Fig. 2 ) extends the base without error, i.e., z = x 
holds with respect to output < z >mum> ■ 

Theorem 2. If a = 0, 0 < n{cm + 5m) < 1 and 0 < x < M, then k = 
k or k—1 and the algorithm BE ( in Fig. 2 ) outputs < z >mum> which satisfies 
z = x{modM) and z < {1 + n{cm + 5m)}M. 

Theorem 1 means that if an offset a is properly chosen, the algorithm BE 
is error-free so long as the input x is not too close to M. Note that x is not 
lowerbounded. On the other hand, Theorem 2 means that without an offset a, 
for any input x, the algorithm BE outputs a correct value or correct value plus 
M. As for Theorem 2, in [7], Posch, et ah, observed a similar fact with respect 
to their own base extension algorithm. 

4 Cox-Rower Architecture 

4.1 RNS Montgomery Multiplication Algorithm 

The Montgomery multiplication algorithm in Fig. 3 is derived by integrating base 
extension algorithm in Fig. 2 into the flow in Fig.l. At the base extension in step 
4, an offset value is 0 and the extension error upperbounded by Theorem 2 will 
occur. In Fig. 3, a symbol t is used in place of t to imply extension error. In 
step 8, on the other hand, the offset value a is chosen so that the extension is 
error-free by Theorem 1. As will be shown later, typical offset value is 1/2. 

By defining A = n{e + 5), the theorem below ensures correctness of the 
algorithm. Refer to Appendix B for the proof. 

Theorem 3. If (1) gcd{N,B) = 1, (2) gcd{A,B) = 1, (3) 0 < Z\ < a < 1, 
(4) 4A/(1 — A) < B, and (5) 2fV/(l — a) < A, then for any input x,y < 
2N, the algorithm MM { in Fig. 3 ) outputs < w >aub which satisfies w = 
xyB~^{modN), w < 2N. 
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Condition (4) is derived to satisfy w < 2N. Conditions (3) and (5) are necessary 
in order that the base extension at step 8 is error-free. Conditions (4) and (5) 
are sufficient for the largest intermediate value v to be less than AB. Theorem 
3 ensures that the range of an output w is compatible with that of inputs x 
and y. This allows us to use the algorithm repeatedly to construct a modular 
exponentiation. 



Input: < X >a i 


, <y>a b (where a; 


,y<2N) 




Output: < w > 


I 6 (where w = xyB~ 


-i(modA), 


w < 2N) 


Precomputation: < —N >b, < N 


>a, < B~^ 


>a 


1 


H 

II 


■ y[ai] mod tti 


(for 


i) 


2 


s[6i] = x[bi] 


y[bi] mod bi 


(for 


i) 


3 


t\hi] = s[&i] • 


(— mod bi 


(for 


i) 


4 


<t >a BE{< t >6; b, a- 0) 






5 


II 


■ A[ai] mod Oi 


(for 


i) 


6 


w[ai] = (s[ai 


-1- u[ai]) mod Ui 


(for 


i) 


7 


II 


■ B~^[ai] mod Oi 


(for 


i) 


8 


<W >a 


BE{< w >a, a, 6; a 


>0) 





(Note: BE is the algorithm shown in Fig. 2.) 



Fig. 3. RNS Montgomery Multiplication Algorithm {MM) 



Figure 4 shows a typical hardware structure suitable for the RNS Mont- 
gomery multiplication. There are n sets of Rower units and a Cox unit. Each 
Rower unit has a multiplier-and-accumulator with modular reduction by ai or 
bi- Cox unit consists of truncation unit, g-bit adder, and its output register. 
It computes k bit by bit. Cox unit acts as if it directs the Rower units which 
compute the main part of a Montgomery multiplication. 

Our proposal has an advantage over the Posch, et al.’s [7] [8] in that the 
base extension in step 8 is error-free. This makes extra steps for error correction 
unnecessary in our algorithm. In addition, in our algorithm, the reduction factor 
k can be computed by addition alone, whereas a multiplier-and-accumulator 
similar to a Rower unit is required in their algorithm. Unlike Posch, et al.’s, 
there is no lower bound for N in our algorithm. This means an LSI which can 
execute 1024 bit RSA cryptosystem can also deal with 768 bit, 512 bit, and so 
on. 



4.2 Exponentiation with RNS Montgomery Multiplication 

Figure 5 shows an exponentiation algorithm based on the binary method, other- 
wise known as square-and-multiply method. The main loop of the algorithm is 
realized by the repetition of Montgomery multiplications in Fig. 3. The first step 
of the algorithm transforms an input integer x into x' = xB mod N. The last 
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< kcM’CT r.^nil n> 1 'ni( (n - H> <LEl7»-«T Lhrt ] > 



Fig. 4. The Cox-Rower Architecture 



step is the inverse of the first step. It is possible to replace a binary exponenti- 
ation method by other more efficient methods such as a window method. 

In [7] and [10], it was proposed that RNS should be used as the input and 
output representation of the algorithm, presumably to avoid further steps nec- 
essary for Radix-to-RNS and RNS-to-Radix transformations. Actually, they did 
not provide any Radix to or from RNS transformations. In order to adapt the ar- 
chitecture to an existing interface of the RSA cryptosystem, it seems important 
to provide Radix to or from RNS transformations suitable for the Cox-Rower 
Architecture. Such transformations will be provided in the following two sections. 



Input: < X >a b, e = {ck, • • • , ei)( 2 ) (where es, = 1, fc > 2) 
Output: < y >a b (where y = x®(modA), y < 2N) 
Precomputation: < mod N >a b 
1: < X >a b^ MM{< X >a b,< mod N >a b) 

2. y b^ ^ X b 

3: For i = k — 1, ■ ■ ■ ,1, compute. 

4: <y>a b^ MM{< y>a b,<y>a b) 

5: If a = 1, then < y >a b^ MM{< y >a b,< x >a b) 

6: End for 

7: <y>a b^ MM{< y>a 6, < 1 >a 6) 

(Note: MM is the algorithm shown in Fig.3.) 

Fig. 5. RNS Modular Exponentiation Algorithm (EXP) 
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4.3 RNS-Radix Conversion 

As Equation (4) is the basis for the whole algorithm, the equation is used as the 
basis for the RNS-to-Radix conversion. Radix-2’’ representations for Ai and A 
are derived below. 















> 

II 

'to 

s 

1 


..,2^1) 


Ai(i) 

V / 


, A=(2’’("-i), 


..,2^1) 


» ... 



By substituting these into Equation (4) and rearranging the equation, we obtain. 







f 






'j 


II 

s 

1 


■•,2M)X:< 


< 


Ai(i) 

V / 


- h 


» ... 



Each row in Equation (12) can be computed in parallel by using the Cox-Rower 
Architecture. Note that in this case, carry should be accumulated in each unit 
while the n steps of summation are being continued. After the summation is 
finished, the saved carry is propagated from Rower unit 1 up to Rower unit n. 
The carry propagation circuit is shown in Fig. 4 with arrows from Rower unit 
(i — 1) to i. This carry propagation requires n steps. The transformation is 
error-free if Conditions in Theorem 1 is satisfied. 

Although the transformed value is error-free, the output value of the Mont- 
gomery multiplication itself may be larger than modulus N . Therefore it is nec- 
essary that N is subtracted from the transformed radix representation if it is 
larger than N . This is called a (final) correction, and is carried out in n steps 
on the same hardware. 



4.4 Radix-RNS Conversion 

Given a radix-2’’ representation of x as (x(n-i), ‘ ‘ ‘ , a^(o))> we have to derive a 
method to compute < x >m , that matches the Cox-Rower Architecture. By 
applying mod rtii operation to Equation (1), we obtain 

x[mi] = 

If constant 2’’-’ [mi] is precomputed, this computation is well suited to the Cox- 
Rower Architecture. The computation finishes in n steps when executed by n 
units in parallel. 



n—1 

3^0 



mod mi (for 
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5 Implementation 

5.1 Parameter Design 

This section describes a procedure to determine parameters r, n, e, S, a, and q, 
for a given modulus N to satisfy five Conditions in Theorem 3. First we assume 
N is 1024 bit number and all base elements at and bi are 32 bit, i.e., r = 32. 
This requires nr > 1024 and thus n > 33. 

Since e = Max(2’’ — mi) 12^, if ai and bi are taken sufficiently close to 2’’, e 
can be small. Actually, by computer search, for n = 33, we can find a and b with 
e < 2“^^, which satisfy Conditions (1) and (2) in Theorem 3. 

S's upper bound is mainly restricted by q, namely, the precision of the adder 
in Cox unit. We can derive the following inequality (See Appendix C). 

1 l-2-(’'-«) 1 

0 < — • ~ — 

“29 1 - e 29 

The last approximation is correct if 2“(’’“9) i and e <C 1. On the other hand, 
Condition (3) A = n(e + S) < a is rearranged to S < ajn — e. Therefore, the 
following condition is sufficient for A to be less than a. 




If we choose a = 1/2, n = 33, and e < 2“^^, the minimum acceptable value for 
q is 7. This means Cox unit should have a 7 bit adder to satisfy Condition (3) 
and the initial value a of its output register can be 1/2. 

Finally, by the definition of e, A,B > 2”’’(1— e) can be shown. Comparing this 
value with 4A^/(1 — A) and 2A^/(1 — a), it is shown that for n = 33, Conditions 
(4) 4A^/(1 — A) < B and (5) 2A^/(1 — a) < A are satisfied. 

5.2 Performance 

Table 1 summarizes number of operations necessary to estimate the modular ex- 
ponentiation time. Columns (1), (2), and (3) of the table correspond to a Mont- 
gomery multiplication, an exponentiation, and other functions, respectively. Let 
L, /, and R denote the total number of operations, a frequency of operation, 
and a throughput of exponentiation, respectively. L is then roughly estimated 
by L = (1) X (2) -I- (3) and R = f ■ nrj{Ljn). Here, L is divided by n because n 
processing units operate at a time. The throughput R is then approximated by 

/ 

3n-k27/2' 

For 1024-bit full exponentiation, R is about 890 [kbit/sec] if r = 32, n = 33, 
and / = lOOMHz are chosen. According to [8], these are a reasonable choice 
for deep sub-micron CMOS technologies such as 0.35 -- 0.18 /im. If a binary 
exponentiation is replaced by a 4-bit window method, R is improved to 1.1 
[Mbps] with a penalty of approximately 4 kByte RAM increase. Table 2 shows 
the required memory size for a binary exponentiation. 
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Table 1. Number of Operations in algorithm EXP 





(1) 


(2) 


(3) 


Alg. MM 


Alg. EXP 


Others 


Alg. BE 


Others 


No. of MM 


Radix- RNS 


RNS- Radix 


Correction 


Operation 


mod-mul 


mod-mul 


- 


mod-mul 


mod-mul 


Subtraction 


No. of 
Operations 


2n{n -|- 2) 


5n 


^+2 




2n^ -|- n 





Table 2. Memory Size (r = 32, n = 33) 





RAM (Byte) 


ROM (Byte) 


Symbol 


nr 


nr{7n -1- ll)/8 


Total 


Ik 


32k 


Per Rower Unit 


32 


970 



6 Conclusion 

A new RNS Montgomery multiplication algorithm has been presented. Our al- 
gorithm together with representation transformations can be implemented on 
the Cox-Rower Architecture proposed in this paper. The performance is roughly 
estimated and turns out to be quite high because of the inherent parallelism of 
RNS. This paper contains no explanation about the fact that a modular reduc- 
tion operation y = x mod mi which is used in Equation (11) etc. can be relaxed 
to y = x(modmi) and y < 2’’. In this case as well, theorems similar to Theorem 
1,2, and 3 can be proven. The relaxed modular reduction will result in simpler 
hardware. In addition, for moduli = 2’’ — /ij, can be chosen so that the 
modular reduction is fast, and <C 2’’ is one such criteria. A VLSI design and 
a detailed performance estimation remains to be studied. 
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A Proof of Theorem 1 and 2 



From Equation (8), Smi = (^i — trunc(^i)) /rm. This leads to trunc(^i) = — 

iTiiSmi- Similarly, since = (2’’ — rrii)f2'”, 2’’ = mi/(l — emj holds. Taking 
these into account, the following equation can be derived. 



trunc(^i) ~ Cmj) (1 ~ 'I r 

= Z^ Z^(^ ■ 



2=1 



2=1 



2=1 



2=1 



Apparently, 



n ^ n ^ 

> (1 - e„) V' — - nSm — ~ + <5m) 

m - rn - 



-A trunc(gi) ^ 

Z^ or — Z^ ■ 



Now it follows that 






By adding a on each sides and substituting Equation (5), the following equation 
is obtained. 

(fc + ;^) - + S„,) + a<^ trunc(gd ^ ^ ^ 

2=1 
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Case 1 : If 0 < n{em + Sm) < a < 1 and 0 < a; < (1 — a)M: Equation (13) leads 
to 

^ ^ truncte) 

^ 2 ’’ 
i=l 

Therefore, 



k = 



-A trunc(^i) 

^7 + “ 



,i=l 



= k 



holds. This proves Theorem 1. 

Case 2: If Of = 0, 0 < n{em + Sm) < 1, and 0 < a; < M\ From Equation (13) 

trunc(^i) 






< fc -I- 1. 



i=l 



Then, 



k = 



E 



trunc(^i) 



= fc or fc — 1 . 



It is easy to see that, if x/M—n{em + 5m) > 0, then k = k. Contraposition leads 
to that if fc = fc — 1, then x/M — n{em + 5m) < 0. Therefore, if fc = fc — 1, 

n 

z = ^ ^iMi — kM = x + M < {n{em + 5m) + 1}M. 

i=l 



Of course, if k = k, then z = x and 2 < M. This proves Theorem 2. 



B Proof of Theorem 3 

The following requirements should be considered: 

— Both N~^ mod B and B~^ mod A exists, 

— All intermediate values are less than AB, 

— For inputs less than 2fV, the algorithm outputs w which is less than 2N , 

— Base extension error at step 4 does not cause any trouble, 

— w is computed correctly at step 7 and base extension at step 8 is error-free. 

First requirement is satisfied by Conditions (1) and (2) in Theorem 3. 

Here we define t as a result of base extension at step 4. We also define the 
correct value as t = s{—N~^) mod B. Due to Theorem 2, t = t or t + B, and 

t < {1 + n{5i, €i,)}B < (1 -I- A)B. 
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With this inequality, the largest intermediate value v is evaluated as follows: 
v = xy + tN < + (1 + A)BN 

< (1 — A)BN + (1 + A)BN (by Condition (4)) 

= 2BN 

< (1 — a)AB (by Condition (5)) 

< AB (by Condition (3)). (14) 



This satisfies the second requirement above. Further, by dividing each term of 
Equation (14) by B, we also obtain w = v/B < 2N < (1 — a)A. Thus, third 
requirement above is satisfied and the value < w >a is extended to < w >aub 
without error if a is chosen according to Condition (3) and w is an integer. 

We still have to confirm that v computed with t is a multiple of B, and 
whether w is correctly computed by < u >a< >a- Since v is either xy + tN 

or xy + {t + B)N and xy + tN = 0 (modi?), we obtain u = 0 (modi?). So v is 
a multiple of B and w = v/B is a,n integer, which is less than A. Taking these 
into account, w can be computed by < u >a< B~^ >a, because vB~^ mod A = 
{wB)B~^ mod A = w mod A = w (last equation is due to w < A). On the other 
hand. 



V 




xy + tN a;y+(t + i?)iV 

or 

B B 



(15) 



In both cases, it is easy to confirm w = xyB ^(modiV). This proves Theorem 

3. 



C 5’s Upper Bound 



From Equation (8), Srm = — trunc(^i))/’^i- 

Max(^i - trunc(^i)) 



J = Max ( 

\ rrii J 



< 



On the other hand. 



This leads to 



= Max 



Min(mi) 
2^-mi\ 2’'-Min(mi) 



(16) 



Min(mi) = 2’’(1 — e). (17) 

Also, 

q {r-q) r-q 

- trunc(^i) = /\(r?M 0 ^( 2 ) < ( 1 ^( 2 ) = 2’'"« - 1. (18) 

Substituting (17) and (18) to (16) results in 

2»'-9 - 1 1 1 - 

^ ~ 2’'(1 - e) “ ^ 1 - e 
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Abstract. Voting schemes that provide receipt- freeness prevent voters 
from proving their cast vote, and hence thwart vote-buying and coer- 
cion. We analyze the security of the multi-authority voting protocol of 
Benaloh and Tuinstra and demonstrate that this protocol is not receipt- 
free, opposed to what was claimed in the paper and was believed before. 
Furthermore, we propose the first practicable receipt-free voting scheme. 
Its only physical assumption is the existence of secret one-way communi- 
cation channels from the authorities to the voters, and due to the public 
verifiability of the tally, voters only join a single stage of the protocol, 
realizing the “vote-and-go” concept. The protocol combines the advan- 
tages of the receipt-free protocol of Sako and Kilian and of the very 
efficient protocol of Cramer, Gennaro, and Schoenmakers, with help of 
designated- veriher proofs of Jakobsson, Sako, and Impagliazzo. 
Compared to the receipt-free protocol of Sako and Kilian for security 
parameter £ (the number of repetitions in the non-interactive cut-and- 
choose proofs), the protocol described in this paper realizes an improve- 
ment of the total bit complexity by a factor £. 



1 Introduction 

1.1 Background 

Secret-ballot voting protocols are one of the most significant application of 
cryptographic protocols. The most efficient secret-ballot voting protocols can 
be categorized by their approaches into three types: Schemes using mix-nets 
[Cha81,PIK93,SK95,OKST97,Jak98,Abe99], schemes using homomorphic 
encryption [CF85,CY86,Ben87,BT94,SK94,CFSY96,CGS97], and schemes using 
blind signatures [F0092,Sak94,0ka97]. The suitability of each of these three 
types varies with the conditions under which it is to be applied. 

In a model with vote-buyers (or coercers), a voting scheme must ensure not 
only that a voter can keep his vote private, but also that he must keep it private. 
In other words, the voter should not be able to prove to a third party that he has 
cast a particular vote. He must neither obtain nor be able to construct a receipt 
proving the content of his vote. This property is referred to as receipt- freeness. 

* Supported by the Swiss National Science Foundation, project no. SPP 5003-045293. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 539-556, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 




540 



Martin Hirt and Kazue Sako 



The concept of receipt-freeness was first introduced by Benaloh and Tuinstra 
[BT94]. Based on the assumption of a voting booth that physically guarantees 
secret communication between the authorities and each voter, they proposed 
two voting protocols using homomorphic encryptions. The first one is a single- 
authority voting protocol which, while being receipt-free, fails to maintain vote 
secrecy. Then they extend this protocol to the second protocol, which is a multi- 
authority scheme achieving vote secrecy. However, we show that this scheme is 
not receipt-free, as opposed to what is claimed in the paper. 

Another receipt-free voting protocol based on a mix-net channel was proposed 
by Sako and Kilian [SK95]. In contrast to [BT94], it assumes only one-way secret 
communication from the authorities to the voters. The heavy processing load 
required for tallying in mix-net schemes, however, is a significant disadvantage 
of this protocol. 

Finally, a receipt-free voting scheme using blind signatures was given by 
Okamoto [Oka97]. Here, the assumption was of anonymous one-way secret com- 
munication from each voter to each authority. Achieving communication that is 
both secret and anonymous would, however, be extremely difficult. Also, this 
scheme requires each voter to be active in three rounds (authorization stage, 
voting stage, and claiming stage), which is not acceptable in practice. 

Another stream of research which relates to receipt-freeness is incoercible 
multi-party computation. Without any physical assumption, deniable encryp- 
tion [CDN097] allows an entity to lie later how the ciphertext decrypts, and 
this technique is used to achieve incoercible multi-party computation [CG96]. 
However, the concept of incoercibility is weaker than receipt-freeness. It would 
allow a voter to lie about his vote, but it cannot help against a voter who wants 
to make his encryption undeniable, and hence cannot prevent vote-buying. 



1.2 Contributions 

In this paper, we first demonstrate that the multi-authority protocol of Benaloh 
and Tuinstra [BT94] is not receipt-free, opposed to what was claimed in the 
paper and was believed before. We then present a novel generic construction 
for introducing receipt-freeness into a voting scheme based on homomorphic 
encryption by assuming some additional properties of the encryption function. 
This construction also includes a solution for the case that an authority does 
not send correct information through the untappable channel.^ Moreover, as 
opposed to previous receipt-free protocols, we disable vote-buying even in cases 
where some authorities are colluding with the voter-buyer. The security of these 
protocols is specified with respect to a threshold , where the correctness of the 
tally is guaranteed as long as at least authorities remain honest during the 
whole protocol execution, and privacy is guaranteed as long as no or more 
curious authorities pool their information. 

^ Due to the untappability of the channel the voter cannot prove that the received 
information is incorrect. In previous protocols, this problem was ignored, and the 
situation of a voter complaining about an authority would have lead to a deadlock. 
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Our construction gives a receipt-free voting protocol which runs as follows: 
For each voter the authorities jointly generate a randomly ordered list with an 
encryption of each valid vote, along the lines of [SK95]. The ordering of the 
list is secretly conveyed and proven to the voter by deploying the technique of 
designated- verifier proofs [JSI96], and the voter points to the encryption of his 
choice. Tallying of votes is performed using the homomorphic property of the 
encryption function. 

By applying this generic construction to the voting protocol of Cramer, Gen- 
naro, and Schoenmakers [CGS97], we obtain an efficient receipt-free voting pro- 
tocol based on homomorphic encryption. 

The efficiency achieved by our protocol compared to the protocol of Sako 
and Kilian [SK95] with security parameter i in the case of l-out-of-2 voting is as 
follows: The communication through the untappable channels and through the 
public channels are reduced by a factor of ^/4 and 3^/2, respectively. Altogether, 
this results in a speedup by a factor of i. As an example, for = 1 000 000 
voters, = 10 authorities, a = 1024 bit group, and security parameter t = 80, 
the protocol of [SK95] communicates 102 GB (gigabyte) over the untappable 
channels and 924 GB over the public channels, whereas the protocol of this paper 
communicates 5 GB over untappable channels and 8 GB over public channels. 

1.3 Organization of the Paper 

The paper is organized as follows: In Sect. 2, we analyze the receipt-freeness of 
the protocol with multiple voting authorities of Benaloh and Tuinstra [BT94] 
and demonstrate its non receipt-freeness by showing how a voter can construct a 
receipt for the vote he casts. In Sect. 3, we present a generic receipt-free protocol 
for 1-out-of- voting based on homomorphic encryptions, and in Sect. 4 we apply 
these techniques to the protocol of Gramer, Gennaro, and Schoenmakers [GGS97] 
and obtain an efficient receipt-free voting scheme. Finally, in Sect. 5, we even 
improve the efficiency of our protocol by tailoring it to l-out-of-2 voting. 



2 Analysis of the Benaloh- Tuinstra Protocol 

The notion of receipt-freeness was first introduced by Benaloh and Tuinstra in 
[BT94]. They present two protocols that are claimed to be receipt-free. In the 
single-authority protocol, the authority learns how each vote was cast. This is 
of course far from satisfactory. In this section, we analyze the receipt-freeness 
of their protocol with multiple voting authorities and show how a voter can 
construct a receipt for the vote he casts. 

2.1 Key Ideas of the Protocol 

The basic idea of the multiple-authority protocol [BT94] is to have every voter 
secret-share his vote among the authorities (using Shamir’s secret-sharing scheme 
[Sha79]), who then add up the shares and interpolate the tally. This idea works 
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due to the linearity of the secret-sharing scheme. There are two major tasks to 
solve: First, the voter must send one share to each authority in a receipt-free 
manner, and second, the voter must prove that the secret (the vote) is valid. 

We concentrate on the second task: In order to secret-share the vote, the voter 
selects a random polynomial of appropriate degree, such that (0) G {0 1} is 
his vote. The share for the -th authority is hence ( ). Clearly, it is inherently 
important that the vote is valid, i.e. (0) G {0 1}, since otherwise the tally will 
be incorrect. Hence, the voter must provide a proof of validity for the cast vote. 

For the sake of the proof of validity, the voter wishing to cast a vote vq 
submits a bunch of n -I- 1 vote pairs, where n is a security parameter. That is, 
the voter submits the votes {vq Vq) (u„ v'„), and each pair (vi v[) of votes 
must contain one 0-vote and one 1-vote in random order. For each pair (vi u() 
but the first, a coin is tossed and the voter is either asked to open the pair and 
show that indeed there is a 0-vote and a 1-vote, or he is asked to prove that 
either Vi = vq and u' = Vq is satisfied, or that Vi = Vq and u' = vq is satisfied. 
If the voter passes these tests, then with probability at least 1 — 2“”, vq is valid 
and is accepted as the voters vote. 

2.2 How to Construct a Receipt 

This cut-and-choose proof of validity offers an easy ability to prove a particular 
vote: In advance, the voter commits to the ordering of each pair of votes (i.e. he 
commits to the bit string vq u„). In each round of the cut-and-choose proof, 
one can verify whether the revealed data is consistent with this commitment. If 
no inconsistencies are detected while proving the validity of the vote, then with 
probability at least 1 — 2“” the voter has chosen the ordering as committed, and 
also Vo is as announced. 

In order to obtain a receipt, the voter could select an arbitrary string s, and 
set the string (vq u„) as the bitwise output of a known cryptographic hash 
function (e.g. MD5 or SHA) for that string s. Then, s is a receipt of the vote vq. 



3 Generic Receipt-Free Protocol 

In this section, we present a novel and general construction for converting a 
voting protocol based on homomorphic encryption (with additional properties 
of the encryption function) into a receipt-free voting protocol. Receipt-freeness 
means that the voter cannot prove to a third party that he has cast a particular 
vote. The reason why most classical voting schemes are not receipt-free is simple: 
Each encrypted vote is published, and the voter himself can prove the content 
of his vote by revealing the randomness he used for encrypting. When a scheme 
requires the voter to choose randomness, then often the voter can exploit this 
to construct a receipt, for example by using the hash of a predetermined value 
(cf. Sect. 2). Therefore, in the protocol of this paper, the authorities jointly 
generate an encryption of each valid vote in random order, and each voter only 
points to the encrypted vote of his choice. The ordering of the encrypted valid 
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votes is proven to the voter in designated verifier manner through the untappable 
channel, so that the voter cannot transfer this proof to a vote-buyer. 



3.1 Model and Definitions 

Entities. We consider a model with authorities i at and voters. 

A threshold denotes the lower bound on the number of authorities that is 
guaranteed to remain honest during the complete protocol execution. 
Communication. Communication takes place by means of a bulletin board 
which is publicly readable, and which every participant can write to (into his 
own section), but nobody can delete from. The bulletin board can be consid- 
ered as public channels with memory. Furthermore, we assume the existence of 
untappable one-way channels from the authorities to the voters. The security 
of these channels must be physical, in such a way that even the voter cannot 
demonstrate what was sent over the channel (of course, the voter can record all 
received data, but he must not be able to prove to a third party that he received 
a particular string). Even a coercer who is physically present at the voter’s place 
must not be able to eavesdrop the untappable channels. Note that some physical 
assumption seems to be inevitable for achieving receipt-freeness.^ Indeed, untap- 
pable one-way channels from the authorities to the voters (as assumed in this 
paper and in [SK95] ) are the weakest physical assumption for which receipt-free 
voting protocols are known to exist. 

Key Infrastructure. To each voter, a secret key and a public key is associ- 
ated, where it must be ensured that each voter knows the secret key according 
to his public key. This assumption is very natural and typically used for voter 
identification in any voting protocol. For the purpose of receipt-freeness, the 
knowledge of his own key is essential. If a voter can prove that he does not know 
his own secret key, then he can obtain a receipt (this holds for this protocol as 
well as for the protocol in [SK95]). We assume that the underlying public- key 
infrastructure guarantees that each voter knows his own key, but nevertheless 
we present a verification protocol (see Appendix A). Note that the receipt-free 
property is still achieved even if a voter discloses his secret key to the vote-buyer. 
Generality. The protocol is a 1-out-of- voting scheme, where each entitled 
voter may submit one vote from the set V of valid votes, |V| = (e.g. = 2 

and V = { — 1 1}). The goal of the protocol is to securely compute the tally as 
the sum of the cast votes. Note that the restriction on a discrete set of valid 
votes is necessary in any receipt-free voting scheme. Voting schemes that allow 
the voter to cast an arbitrary string as his vote cannot ensure receipt-freeness, 
because they allow the voter to tag his vote. 

^ If the coercer is able to tap all communication channels between the voter and the 
authorities, then apparently the voter’s private information (including secret key 
and randomness) is a receipt of the vote he has cast. The model for incoercible 
multi-party computation [CG96] does not assume physically secure channels, but 
participants who want to prove a certain behavior can do so in this setting, thus 
receipt-freeness is not achieved. 
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Security. The security of the protocol comprises that the correctness of the 
computed tally is guaranteed as long as at least authorities remain honest 
during the whole protocol execution (correctness); that any set of less than 
authorities cannot decrypt any cast vote (privacy); and that a voter cannot prove 
to a third party which particular vote he has cast (receipt-freeness) . In general, 
we assume that authorities do not collude with the vote-buyer, respectively the 
coercer (as assumed in all previous papers considering receipt-freeness). However, 
under certain circumstances some colluding can be tolerated. This is discussed 
in detail in Section 3.5. 

3.2 Protocol Overview 

The basic idea of the voting phase is illustrated in Fig. 1: First, each valid vote is 
encrypted in some deterministic way (e.g., by using the encryption function with 
“randomness” 0). This list of encrypted votes is publicly known (on the very left 
in the figure). Then, the first authority picks this list, shuffles it, and hands it 
to the next authority. To shuffle the list means to re-randomize each entry and 
to permute the order of the entries. In the figure, encryption is illustrated in 
terms of drawing a circle around the secret, and re-randomization is illustrated 
by rotating the secret. Then, the next authority picks the list, shuffles it, and 
so on. In addition to this shuffling, each authority must secretly reveal to the 
voter how the list was reordered yet in a privately verifiable manner through a 
secure untappable channel. This allows the voter to keep track of the ordering 
of the encrypted entries, and once each authority has shuffled the list, he can 
point to the encrypted vote of his choice. In order to prevent a voter who is 
colluding with an authority from casting an invalid vote, each authority must 
publicly prove that she shuffled correctly (without revealing the reordering, not 
shown in the figure). Votes cast this way are receipt-free: due to the private 
verifiability of how shuffling was performed, the voter has no way to convince a 
third party of the content of his vote. This property will be achieved by using 
designated- verifier proof technique [JSI96]. 

3.3 Requirements for the Basic Protocol 

We assume a basic (non receipt-free) voting protocol based on homomorphic 
encryption for the stated model, and we require some extra properties of its 
encryption function. Let be the (probabilistic) encryption function, and let 
{v) denote the set of encryptions for a vote v. An encryption of vote v is one 
particular encryption of u, i.e. € (u). We require the following properties to be 

satisfied. The properties 1-3 are straightforward requirements for the encryption 
function of any voting scheme. The properties 4-6 are required exclusively in 
order to introduce the receipt-free property. 

1. Encryption Secrecy 

For any group of less than authorities it must be infeasible to decrypt any 

encryption . 
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Fig. 1. Constructing a vote in V = {1 2 3} with 3 authorities. 



2. Homomorphic Property 

We assume that the encryption function is homomorphic, that is, given the 
encryptions i G (wi) and 2 G (^ 2 ), the addition of these encryptions 
yields an encryption = 1 0 2 that encrypts the sum vote, i.e. G (fi 0 
V 2 )- We require that this addition can be computed efficiently without any 
secrets. 

3. Verifiable Decryption 

We require an efficient protocol for verifiably decrypting an encrypted sum 
vote, that is given any encryption G ( ) the authorities can provide the 
sum of votes and a proof that indeed decrypts to . This decryption 
and the proof must also work if up to — authorities refuse cooperation or 
even misbehave maliciously. This protocol must not reveal any information 
that could weaken Property 1 (secrecy) of other encryptions. 

4. Random Re-encryptability 

We require an algorithm for random re-encryption of any encryption 
Given G (w) (where typically v is unknown), there is a probabilistic 
re-encryption algorithm R that outputs ' G (f), where ' is uniformly 
distributed over (v). We call the randomness used for generating ' the 
witness. 

5. Existence of a 1-out-of-L Re-encryption Proof 

Based on the random re-encryptability property, we assume the existence of 
an efficient protocol that given an encryption , a list 1 l of encryp- 

tions, and a witness that j is a re-encryption of (for a given ), proves that 
indeed i is a re-encryption of , without revealing . This proof is called 
1-out-of-L re-encryption proof. 

6. Existence of a Designated- Verifier Re-encryption Proof 

We assume the existence of an efficient protocol that given encryptions 
and ' and a witness for ' being a re-encryption of , proves the existence 
of such a witness in a manner that only the designated verifier can verify 
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its correctness [JSI96]. This proof is called designated- verifier re-encryption 
proof. 

3.4 Introducing Receipt-Freeness 

Given a voting protocol for the stated model which satisfies the requirements 
of the previous section, we can construct a receipt-free voting protocol. We first 
show how votes are generated (by the authorities) and how the voter casts his 
vote, then how tallying is performed. 

Vote Generation. Without loss of generality, assume that for each valid vote 
Vi G V, there exists a standard encryption , where it is clear which Vi a given 
encryption belongs to.^ Hence, is a public list of all standard- 

encrypted valid votes. 

In turn, for each authority k (where fc = 1 ): 

1. k picks the list of encrypted valid votes (for the first 

authority i, this is the public list of standard-encrypted valid votes, and 
for all succeeding authorities, this is the list of the previous authority). Then 
the authority shuffles this list randomly, and hands it to the next authority. 
To shuffle the list means to re-encrypt each encrypted vote (Property 4) 
and to permute the order of the list. More precisely, the authority randomly 
selects a permutation fc:{l }”*■{! }> computes a random 

re-encryption of and assigns it to (for all =1 ). 

2. k publicly proves that she honestly shuffled, namely by proving for each , 

there exists a re-encryption of in the list without reveal- 

ing which (1-out-of-L re-encryption proof. Property 5). 

3. k secretly conveys to the voter the permutation k she used for reordering 

the encrypted votes and proves privately to him its correctness. More pre- 
cisely, the permutation k and a designed- verifier proof for each = 1 , 

that is a re-encryption of (Property 6), is sent through the un- 

tappable channel to the voter. 

4. If the voter does not accept the proof, he publicly complains about the 
authority. If the voter does so, then we set 

i.e. the shuffling of this authority is ignored. The voter may complain against 
at most — authorities. 

Casting a Vote. The voter derives the position of the encrypted vote 
of his choice, and publicly announces it. 

Tallying. The chosen encrypted votes of all voters are then summed for tallying. 
More precisely, they are added (using homomorphic addition 0, Property 2) to 
achieve an encryption ( ) of the sum of the votes. The authorities decrypt 
and output and prove its correctness (Property 3). 

® One technique to generate such encrypted votes is to use the probabilistic encryption 
algorithm E, and give as randomness the all-0 string. Such an encrypted vote 
can be decrypted by trying all valid votes u £ V. 
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3.5 Security 

Correctness. The correctness of the tally is guaranteed if all voters can cast 
the vote they wish (i.e. can trace the permutations of the authorities, Property 6), 
if they cannot cast invalid votes (Property 5), if the correct encrypted sum can 
be publicly computed (Property 2), and if the decryption of the sum is verifiable 
(Property 3). 

Privacy. The privacy of each voter is guaranteed if an encrypted vote cannot 
be decrypted by an outstanding person or by any group of less than authorities 
(Property 1). Also, given a list of encrypted votes and a shuffled list, it must 
be infeasible to find out which vote in the original list was permuted to which 
vote in the shuffled list (Property 4). Since at least shufflings are performed 
correctly (at most — shufflings can be skipped by a complaining voter), — 1 
colluding authorities cannot find out the reordering of the list. 

Receipt- Freeness. The voter actively interacts at two points: First (in vote 
generation), the voter can disable the shuffling of up to — authorities, and 
second (in vote casting), the voter points to the encrypted vote of his choice. 
Through the untappable channels, the voter receives the permutations k and 
the designated- verifier proofs for the correctness of each k- Due to the non- 
transferability of designated-verifier proofs (Property 6) and the untappability 
of the channels used he can lie for any of these permutations k, and this is 
sufficient for not being able to prove the cast vote. Note that although the 
proposed scheme is receipt-free, a coercer still can coerce a voter not to vote, or 
can coerce a voter to vote randomly. 

In case that authorities collude with a vote-buyer or a coercer, then appar- 
ently receipt-freeness is still ensured as long as each voter knows at least one 
authority not colluding with the vote-buyer (then the voter can lie for the per- 
mutation k of this authority k)- If a voter does not know such an authority, he 
can select one authority at random and lie for this permutation. In the context 
of vote-buying this means that the voter can forge a receipt for a vote he did not 
cast, and the vote-buyer accepts such a forged receipt with probability linear in 
the number of authorities not colluding with him, which seems to be unaccept- 
able for the vote-buyer. However, in the context of coercion, this means that the 
probability of a lying voter to be caught is linear in the number of authorities 
colluding with the coercer, and this seems to be unacceptable for the voter. 

4 [CGS97] Made Receipt-Free 

In this section, we construct a receipt-free I-out-of- voting scheme based on the 
construction of Sect. 3 and on the protocol of Cramer, Gennaro, and Schoen- 
makers [CGS97]. 

4.1 Homomorphic ElGamal Encryption 

The encryption scheme is exactly the same as used in [CGS97]. Here a very 
brief summary: The scheme is based on the ElGamal cryptosystem [E84]. Let 
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be a commutative group of order | | = , where is a large prime. can 
be constructed as a subgroup of *, where is a large prime, but can also 
be obtained from elliptic curves. In the sequel, all operations are meant to be 
performed in 

Let be a generator of , i.e. = ( )• The secret key is chosen uniformly 

from q , and the public key is = The key pair ( ) is constructed in a way 

that each authority receives a share i of in a ( )-threshold secret-sharing 
scheme and is publicly committed to this share by i= [Ped91,CGS97]. Also, 
7 is another (independent) generator of . The set V of valid votes contains 
values in q. An encryption of a vote u G V is given by 

(u) = ( “ 7’' “) 

where Gr ^ is a random number and 7 *' is the “message” in the context of 
ElGamal.^ We further let = (1 7 ’') be the standard encryption of v. 

4.2 Encoding of Votes 

There are several ways of encoding votes in g, such that the sum of several 
votes yields the sum of each type of vote. If for example = 2, then one could 
set V = {-l-l —1} and can derive how many 1-votes and how many (— l)-votes 
were cast from the sum and the number of cast votes. 

For particular cases with 2, one can still use a similar approach. For 
example, if voters are allowed to cast “yes” , “no” , or “empty” , and we are only 
interested in whether there are more “yes” or more “no” votes (disregarding the 
number of “empty” votes), one can use the encoding 1 for “yes”, —1 for “no”, 
and 0 for “empty” . 

However, if it must be possible to derive the exact number of cast votes 
for each choice, then more involved approaches are necessary. Along the ideas 
of [GFSY96], one can set V = {1 ^ where denotes the 

number of voters. One can easily compute the number of cast votes for each 
choice, once the sum of the votes is computed. 

We note that in any examples given in this subsection, decryption of the 
tally requires computing the discrete logarithm of 7 ^, where is the sum of all 
cast votes (as in [GGS97]). This can be done with complexity (V ), see 
[GGS97] for more details. 

4.3 Main Protocol 

The main protocol is according to the generic protocol of Sect. 3. All we have 
to show is that the above encryption scheme satisfies the required properties of 
Sect. 3: 

^ The original ElGamal scheme is homomorphic with respect to multiplication. In 
order to achieve it to be homomorphic with respect to addition (Property 2), the 
message is chosen as 7 ”. Multiplication of two messages corresponds to addition of 
the votes. 
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1. (Secrecy) The secret key is shared among the authorities such that any 

— 1 authorities cannot compute . Violating the secrecy of the scheme would 
mean to either break ElGamal [E84] or the secret- sharing scheme [Ped91]. 

2. (Homomorphic Property) Addition of two encryptions i = ( i i) and 

2 = ( 2 2 ) is defined as 

l©2 = (l2 12 ) 

It is obvious that if 1 G (ui) and 2 G (^ 2 ), then ( 1 © 2 ) G (ui +U 2 )- 

3. (Verifiable Decryption) In order to decrypt from = ( ) the authorities 

first jointly compute, reveal and prove " = This can be achieved by hav- 
ing every authority i compute " i where i is i’s share of the secret 

key , and then compute " from 'j. This is possible if at least authorities 
reveal and prove 'j. More details can be found in [Ped91,CGS97]. Once ' is 
known, one can compute 




Then, the authorities must find . The computation complexity of this task 
is discussed in Sect. 4.2 

4. (Re-encryptability) The re-encryption ' = { ' ^) of an encrypted vote 

= ( ) is given by 

('') = (« M 

for a random integer Gfi q. Glearly, if is chosen uniformly in q, then 
( ' ') is uniformly distributed. This serves as a witness of re-encryption. 

5. (1-out-of-L Re-encryption Proof) An efficient witness indistinguishable pro- 
tocol with which an authority can prove that a re-encryption of a given 
encrypted vote is contained in the list 1 l will be given in Sect. 4.4. 

6. (Designated- Verifier Re-encryption Proof) An efficient witness indistinguish- 
able protocol with which an authority can prove privately that an encrypted 
vote ' is a re-encryption of will be given in Sect. 4.5. 

4.4 1-out-of-L Re-encryption Proof 

We present a witness indistinguishable protocol with which a prover can prove 
that for an encrypted vote ( ), there is a re-encryption in the encrypted votes 

( 1 1 ) ( L l) (1-out-of-L re-encryption proof). The protocol is based on 

techniques presented in [GDS94,GFSY96,GGS97]. For this protocol, assume that 
{ t i) is a re-encryption of ( ), and the re-encryption randomness (the wit- 
ness) is , i.e. { t i) = ( ^ ^ )• 
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1. The prover selects i l and i l at random, and computes 

i = and i = ^ (for = 1 ) 

and sends it to the verifier. Note that these values commit the prover to i 
and i for all = 1 except for = . t and t only commit the prover 

to a value w = t+ t, since t = and t = 5'^*+’’* . This means that 

the prover still can change t and t after this round. 

2. The verifier picks a random challenge Gfl q and sends it to the prover. 

3. The prover modifies t such that = i + + Lj modifies t such that 

w = t+ t (both mod ) and sends i l and i l (with t and 

t modified) to the verifier. 

4. The verifier tests whether 

7 

= 1 + + L (mod ) 




i (for =1 ) 



The proposed protocol is a 3-move witness-indistinguishable proof. Using the 
Fiat-Shamir-heuristic [FS86] the proof can be converted to be non-interactive. 
Using a technique of [CFSY96], we can even achieve a proof that only requires 
the prover to send 2 elements of . Let Ti. denote a cryptographic hash function, 
then 



1. The prover computes i and i (for =1 ) as in the interactive proof. 

2. Then the prover computes the challenge = H{ || i|| || l|| i|! || l), 

where || is the concatenation of and , and =( || || i|| 2II || l\\ l) 
is the environment. 

3. For this challenge, the prover computes i and i (for =1 ). The 

proof is the 2 -vector (1 i 1 l)- 

4. A verifier examines whether 



= n 













4.5 Designated- Verifier Re-encryption Proof 

Each authority secretly conveys and proves to the voter how she reordered the 
list of encrypted votes. Therefore, for each = 1 , the authority proves that 

is a re-encryption of In the sequel, based on techniques from [JSI96], 

we show how the authority can privately prove that ( ' ') is a re-encryption 

of ( ), where is the witness, i.e. ( ' 0 = ( ^ ^ )• The voter’s secret key 

is denoted as „ and the corresponding public key is given by „ = This 
protocol relies on the voter’s knowledge of his secret-key. If this property is not 
ensured by the underlying public-key infrastructure, a protocol for guaranteeing 
it must be employed (see Appendix A). 
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1. The prover selects w and at random, computes 

= , and s = “ ; 

and sends it to the verifier. These values commit the prover to w and . 
However, s is a chameleon commitment for w and , and the verifier can 
use his knowledge of „ to open s to arbitrary values w' and ' satisfying 

w' + V ' = W + V . 

2. The verifier picks a random challenge Gfl q and sends it to the prover. 

3. The prover computes u = + ( + w) and sends w u to the verifier. 

4. The verifier tests whether 



? 

w r 

V 




This protocol can be made non-interactive using Fiat-Shamir-heuristic [FS86]: 

1. The prover computes and s as in the interactive proof. 

2. Then the prover computes the challenge = || || ||s), where || ||s means 

the concatenation of , and s, and = ( || || '|| ') is the environment. 

3. For this challenge, the prover computes u. The proof is the vector ( w u).^ 

4. A verifier tests whether 



? 

= H 



u 


U 




(G) 






[i) 





Now we show how that the verifier who knows the secret „ such that „ 

can generate the above proof for any ( ) and ( ~ ~) . The key is that the value s 

does not stick the verifier to w and . The verifier selects and u at random, 
and computes 




w = — ~ (mod ) 



(mod ) 

V 



and sets w ' u) as the proof. It is easy to see that this proof passes the above 
verification, i.e. for any (~ ~), the voter can “prove” that it is a re-encryption of 
( )■ 

® We note that this construction is slightly more efficient than the one presented in 
[JSI96], where they require a 5- vector as proof. 
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4.6 Communication-Complexity Analysis 

In this section we analyze the communication complexity of the 1-out-of- voting 
scheme. We assume that there are authorities and active (participating) 
voters. Let denote the number of bits that are used to store an element of the 
group 

Both initialization of the ElGamal keys and revealment of the final result use 
constant (in ) many messages and are thus ignored. The relevant costs are 
related to shuffling and to the designated-verifier proofs. For each active voter, 
in turn every authority shuffles the list of encrypted votes, posts the new list 
to the bulletin board (2 group elements), posts a proof for honest shuffling 
( • 2 group elements), and secretly conveys and proves the reordering to the 

voter ( log 2 bits for the permutation and • 4 group elements for the proofs) . 
Finally, the voter posts the index of the encrypted vote of his choice to the 
bulletin board (log 2 bits). In total, there are 2 ( + 1) + log 2 bits 

posted to the bulletin board, and (4 + log 2 ) bits transfered through 

the untappable channels. 

When the protocol for ensuring that each voter knows his own secret key 
(cf. Appendix A) is considered as part of the protocol (and not as part of the 
public- key infrastructure), then the number of bits posted to the bulletin board 
is increased by ( + )? ^md the number of bits transfered through the 

untappable channels is increased by 



5 Efficient Receipt-Free l-out-of-2 Voting 



In this section we give a more efficient receipt-free protocol for l-out-of-2 voting 
based on the scheme of [CGS97]. We take advantage of the encryption scheme 
that enables flipping of votes easily. That is, one can generate the opposite of 
an encrypted vote without knowing the vote. 

We define the set of valid votes V = {— 1 -1-1} and we use the same encryption 
scheme as in Sect. 4. We define = (1 7 ) be the standard encryption for the 
vote 1 . 

Gonsider an encrypted vote ( ) G (u) (where u G V is unknown). One 

can easily flip the vote by“=( “^) which yields “ G (— u). In other 

words, for every encrypted vote, the encrypted opposite vote is implicitly defined. 
Following we give an efficient receipt-free protocol for l-out-of-2 elections that 
makes extensive use of this flipping property. 

In turn, for each authority k (where k = 1 ): 

1 . k picks an encrypted 1 -vote or (— l)-vote (for the first authority 

1 , this is the standard encryption of the 1 -vote, and for all succeeding 
authorities, this is the encrypted vote of the previous authority). Then the 
authority computes a random re-encryption of and either flips it or 

not, and assigns the result to 
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2. fc publicly proves that she honestly re-encrypted (and optionally flipped), 

namely by proving that either or is a re-encryption of There- 

fore, the proof of Sect. 4.4 is used, where = 2. 

3. k secretly conveys and proves privately to the voter whether she flipped 
or not. This proof will be the same designated- verifier proof as given in 
Sect. 4.5, where = 2. 

4. At most — times the voter may not accept the proof and publicly complain 
about the authority. Then 

Finally the voter casts his vote by announcing whether his vote is or 
. This encrypted vote is then summed for tallying. 

The analysis of this scheme gives that totally 6 -I- bits are posted to 

the bulletin board, and (4 -|- 1) bits are sent over the untappable channels 

(both quantities are almost half of the costs with the protocol of Sect. 4, where 

= 2 ). 

A careful analysis of the receipt-free voting scheme of Sako and Kilian [SK95] 
for security parameter i (the number of rounds in the non-interactive cut- 
and-choose proofs) reveals the complexity of that scheme: There are in total 
(9 -I- log 2 ) £ bits sent over the public channels and £ bits over the 

untappable channels. This is more than M/2 times more on the public channels 
and £/A times more on the untappable channels than the scheme of this paper. 
The costs of the protocol from Appendix A must be added to all quantities if 
required. 



6 Concluding Remarks 

We have presented a generic construction of a receipt-free protocol from a given 
basic voting scheme. By applying this generic construction to the voting protocol 
of [CGS97] we obtain an efficient receipt-free 1-out-of- voting protocol, and 
by tailoring it to l-out-of-2 voting this results in a protocol which is £ times 
more efficient than the protocol of [SK95] with security parameter £. Due to the 
protocol failure in [BT94], the constructions in this paper give the first receipt- 
free voting scheme based on homomorphic encryptions. 
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A Ensuring Knowledge of the Secret-Key 

In a model providing receipt-freeness, it is essential that each voter knows his 
own secret-key. We assume that this verification is part of the underlying public- 
key infrastructure, but nevertheless we provide a protocol that ensures a voter’s 
knowledge of his secret-key. This protocol may be performed as part of the key 
registration (in the public- key infrastructure), or as part of the voting protocol 
if the key infrastructure does not provide this property. This protocol requires a 
secure one-way untappable channel as used in the vote generation phase. 

The following protocol is based on Feldman’s secret-sharing scheme [Fel87] . 
It establishes that a voter v knows the secret key „ corresponding to his public 
key „ (where = „): 

— The voter shares his secret key „ among the authorities by using Feldman’s 
secret-sharing scheme [Fel87]: The voter v chooses a uniformly distributed 
random polynomial «()=«+ i + + t-i of degree — 1, and 

secretly sends® the share Sj = „( ) to authority i (for =1 ). Fur- 

® Either the voter encrypts the share with the authority’s public-key, or alternatively 
the authority first sends a one-time pad through the untappable channel, and the 
voter then encrypts with this pad. 
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thermore, the voter commits to the coefficient of the polynomial by sending 
i = “• for =1 — 1 to the bulletin board. 

— Each authority i verifies with the following equation whether the received 
share Si indeed lies on the committed polynomial „(•): 

7 -f — 1 / 

Si j_ I I I Zu ail 

— V ■ 1 ■ ■ t-1 I — 

If an authority detects an error, she complains and the voter is requested to 
post her share to the bulletin board. If the posted share does not correspond 
to the commitments, the voter is disqualified. 

— Finally, every authority (which did not complain in the previous stage) sends 
her share through the untappable channel to the voter. 

In the above protocol, clearly after the second step, either the (honest) au- 
thorities will have consistent shares of the voter’s secret key or the voter will 
be disqualified. However, so far it is not ensured that the voter indeed knows the 
secret key, as the shares could have been provided by the coercer. In any case, 
in the final step the voter learns There are at least honest authority who 
either complained (and thus their share is published), or who sent their share to 
the voter, and hence the voter can interpolate the secret key 
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Abstract. A MIX net takes a list of ciphertexts (ci, • • • , cn) and out- 
puts a permuted list of the plaintexts (mi,-- - ,mjv) without revealing 
the relationship between (ci, - - - ,cn) and (mi, - - - , m]v). This paper first 
shows that the Jakobsson’s MIX net of Eurocrypt’98, which was believed 
to be resilient and very efficient, is broken. We next propose an efficient 
t-resilient MIX net with 0{t^) servers in which the cost of each MIX 
server is 0{N). Two new concepts are introduced, existential-honesty 
and limited-open- verification. They will be useful for distributed compu- 
tation in general. 



1 Introduction 

1.1 Background 

In his extensive work to achieve anonymity, Chaum introduced the concept of a 
MIX net [6]. MIX nets have found many applications in anonymous communi- 
cation [6], election schemes [6,11,19,24] and payment systems [14]. A MIX net 
takes from each user a ciphertext and outputs a permuted list of the plaintexts 
without revealing who has sent which plaintext, i.e., which plaintext corresponds 
to which ciphertext . This aspect of a MIX net is also known as privacy. Although 
Pfitzmann-Pfitzmann [21] showed an attack against the RSA implementation of 
Chaum’s MIX scheme, the concept itself was not broken but it was refined. The 
original MIX net given by Chaum [6] satisfies privacy only under the condition 
that all the senders are honest. To address this issue, one needs robustness. A 
topic that was studied prior to robustness is verifiability , to allow to detect that 

* A part of this research was done while the author visited the Tokyo Institute of Tech- 
nology, March 4-19, 1999. He was then at the University of Wisconsin - Milwaukee. 
A part of his research was funded by NSF CCR-9508528. 

B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 557-572, 2000. 

© Springer- Verlag Berlin Heidelberg 2000 
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the output of the MIX net is incorrect. If an outsider can verify this, the scheme 
is called universally verifiable. 

Before surveying robustness and verifiability, another problem of Chaum’s 
MIX net based on RSA should be pointed out, which is that the size of each 
ciphertext i is long, i.e., proportional to the total number of MIX servers. Park 
et al. overcame this problem by using the ElGamal encryption scheme so that the 
size of each j became independent of the number of MIX servers [19]. Almost all 
MIX nets proposed from then on are based on the ElGamal encryption scheme. 

A general method to achieving verifiability is to have each MIX server prove 
that it behaved correctly in zero knowledge. Sako and Kilian [24] showed such 
an efficient proof system for Park et al.’s MIX net. The above MIX nets are, 
however, not robust. If at least one MIX server stops, then the entire system 
stops. Ogata et al. showed the first MIX net satisfying privacy, verifiability and 
robustness [18]. We call a scheme satisfying all these properties resilient. 

For comparison, we focus on the random permutation stage of the MIX net 
because almost all known resilient MIX nets consist of two stages, a random 
permutation stage and a threshold decryption stage. Also, there are some cases 
where we want a permutation, but not a decryption. If a MIX net does a per- 
mutation only, it is possible that the MIX servers do not need to know the 
decryption key, which is an advantage. 

Now in Ogata et al.’s MIX net, the computational cost of each MIX server 
is 0{ t ), where is the number of users, is the security parameter and t 
stands for the threshold number of untrusted MIX servers. Subsequently, Abe 
showed a more efficient resilient MIX net which is also universally verifiable in 
which the external verifier’s cost is reduced to 0{ ) [1]. 

At the same time, Jakobsson showed a very efficient resilient MIX net at 
Eurocrypt ’98 [13] (but not universally verifiable). Later, he showed a more 
efficient MIX net at PODG’99 [15]. In these schemes, the computational cost of 
each MIX server is 0(t ). 

Recently Abe [2,3] showed his second resilient MIX net which is efficient for a 
small number of users. In this MIX net, the complexity is 0{t log ) . Jakobsson 
and duels showed a MIX net which has the same advantage [16]. In their MIX 
net, the cost of each MIX server is 0(t log^ ). Since these complexities grow 
faster in than the other schemes, these schemes suit small 



1.2 Our Contribution 

This paper first shows that the Jakobsson’s first MIX net (presented at Euro- 
crypt’98) [13], which was believed to be resilient and very efficient, is not robust. 
We present an attack such that at least one malicious MIX server can prevent 
computing the correct output. We exploit a homomorphic property of Jakobs- 
son’s Eurocrypt ’98 scheme to attack it. Observe that we make no claims about 
other MIX networks, such as the PODG’99 Jakobsson paper [15]. 

We also propose a new and very efficient resilient MIX net (but it is not 
universally verifiable) . To obtain this scheme, we introduce three new concepts: 
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Work-sharing-MIX in which (significantly) more MIX servers are being used 
than one trusts. In threshold schemes a tradeoff is used between reliability 
and privacy. The motivation of work-sharing-MIX is to have a tradeoff be- 
tween the number of MIX severs and the computational effort per MIX sever. 
When is large (as in national elections), and one wants a sufficiently high 
security (i.e., a large t), then the computational effort of existing schemes 
may be prohibitive. We share the computational effort over several machines 
while maintaining the requirements as privacy, robustness and verifiability. 
Existential-honesty divides the MIX servers into blocks of which we can guar- 
antee that one is free of dishonest MIX servers, assuming the number of 
dishonest MIX servers is bounded by t. 

Limited-open- verification is the opposite of zero-knowledge. To prove that a 
computation has been done correctly the party that did the computation in 
a block will open the secret it used. However, she will only open this to the 
members in the same block. 

More details are given later on. Those concepts may be useful in other contexts 
such as secure distributed computation. We achieve 100% robustness in contrast 
with prior schemes (i.e. the probability of the failure of robustness is 0). 

Although the total computational cost of our scheme is comparable to the 
one of Jakobsson’s MIX net of PODC’99 [15] (i.e. 0{t^ )), the computational 
cost of each MIX server is significantly smaller (i.e. 0{ )) in ours versus the 
one in Jakobsson’s scheme {0{t )). To achieve this we need 0{t^) MIX servers 
rather than the usual 0{t). This introduces several open problems, which we 
discuss in Sect. 6. 

Other details, such as the computational complexity assumptions we need to 
prove privacy are discussed later on. 



2 Model of MIX Net 

2.1 Model and Definitions 

In the model of MIX nets, there exist three types of participants: users, a bulletin 
board, and the MIX servers. 

1. The users post encrypted messages ( i • • • v) to the bulletin board. 

2. After the bulletin board fills up, or after some other triggering event oc- 
curs, the mix servers compute a randomly permuted list of decryptions 
(mi • • • uin) of all valid encryptions posted on the bulletin board. 

MIX nets must satisfy privacy, verifiability and robustness. Suppose that at 
most t among v MIX servers and at most — 2 among senders are malicious. 
Then we say that a MIX net satisfies : 

— t-privacy if the relationship between ( i • • • n) and (mi • • • uin) is kept 
secret. 




560 



Yvo Desmedt and Kaoru Kurosawa 



— t- verifiability if an incorrect output of the MIX net is detected with over- 
whelming probability. 

— t-robustness if it can output (mi • • • uin) correctly with overwhelming 
probability. 

We say that a MIX net is t-resilient if it satisfies t-privacy, t-verifiability and 
t-robustness. 

2.2 ElGamal Based Encryption Scheme for Users 

ElGamal based encryption scheme was commonly used in some of the previous 
robust MIX nets [18,1,13]. Let be a safe prime, i.e., be primes such that 
= 2 -1-1, and be a generator of g. Let = ^ mod , where is a secret 
key. The public key is ( ). 

The MIX servers share a secret key using a (t -I- 1 v) threshold scheme [27] , 
where v denotes the number of MIX servers. 

To encrypt a value m € q, a, random number 7 g is chosen and the ci- 
phertext ( ) = ( ^ m is calculated. For decryption, m = ^ is calculated 

by a threshold decryption scheme [8,20,12] 

As pointed out by Jakobsson, to guarantee that m G 9, we should let 
m = ( I ) for an original message G [1 . . . ( — 1) 2], where ( | ) is 

the Jacobi symbol of 

2.3 Non-malleable ElGamal 

Malicious users may post copies or correlated ciphertexts of some encrypted 
messages of honest users (repeated ciphertext attack). They can then determine 
(with some probability) what the decryption of the attacked message was, by 
counting repeats or correlations in the output list. Therefore, it is necessary 
to use a non-malleable encryption scheme. A public key cryptosystem is said 
to be non-malleable [9] if there exists no probabilistic polynomial time (p.p.t.) 
adversary such that given a challenge ciphertext , he can output a different 
ciphertext ' such that the plaintexts m m! for ' are meaningfully related. 
(For example, m! = m + \ 

Tsiounis and Yung [28], and independently Jakobsson [13], showed a non- 
malleable FlGamal encryption scheme by combining Schnorr’s signature scheme 
[25] with FlGamal encryption scheme under some cryptographic assumption in 
the random oracle model. Jakobsson used the non-malleable FlGamal encryption 
scheme in his MIX net for users’ encryption to prevent the repeated ciphertext 
attack [13]. (For a detailed study of the security consult [26].) We also use this 
scheme in our MIX net of Sect. 4. 

3 An Attack for Jakobsson’s Practical MIX 

In this section, we show how to break the Jakobsson’s MIX net of Furocrypt’98 
[13], which was believed to be t-resilient and very efficient. 
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Jakobsson first showed that a MIX net is obtained by using MIXEXP which 
takes a list of items p, = { \ . . . n) and robustly computes a permutation 
( 1 . . . at)- To avoid cut and choose methods, Jakobsson [13] developed a sub- 
protocol in which each MIX server proves that the product of his input elements 
and the product of his output elements satisfy a certain relation. However, this 
does not imply proving that each MIX server behaved correctly even if the sub- 
protocol is combined with his other subprotocols. We show an attack such that 
all the output elements of a MIX server can be affected in a proper way. We also 
exploit a homomorphic property of his scheme to attack it. 

His MIX net is not robust if the MIXEXP is not robust. Therefore, the details 
of MIXEXP are given in Sect. 3.1. Our attack is given in Sect. 3.2. 

If the reader is not interested or is already familiar with his scheme, he can 
go directly to Sect. 3.2. 

3.1 Structure of the Scheme Attacked [13] 

Let 



.= ( 1 ) 

be the public information of a MIX server j, where j is his secret. Define 

= n . (2) 

j&Q 

where Q denotes a quorum. MIXEXP takes a list of items p = { i . . . n) and 
robustly computes a permutation ( ^ . . . ^). 

Jakobsson then showed an efficient implementation of MIXEXP. It consists 
of four protocols. Blinding I, Blinding II, Unblinding I and Unblinding II. For 
simplicity, let Q = {1 2 • • • t J- 1}. For a list = ( i . . . n) and G q, 
define 

“e ^ / e e \ 

— I 1 ■ ■ ■ n )- 



Let be a security parameter. 



Blinding I: (see Fig. 1) For 1 < < , 

1 . MIX server 1 chooses a random number and a random permutation 

/Ai- He then computes 

/ PIXl P/Xi PlXi\ 

1 2 ■ ■ ■ N )■ 

2. MIX server 2 chooses a random number and a random permutation 

7 A 2 - He then computes 

/ PI\iPI\2 PI\iPI\2 PI\iPI\2\ 

I\2 ° /All 1 2 ' ' ’ N ) 

and so on. 
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Fig. 1. Blinding I 



The final output (in Blinding I) from MIX server t + 1 is: 

M/A - /A ( 1 2 • • • N ) 

where 

/A = n = n 

jeQ jeQ 

That is, MIXEXP outputs p,n ■ ■ ■ on input J1 in Blinding I. 




Fig. 2. Blinding II 



Blinding II: (see Fig. 2) For 1 < < , 

1. MIX server 1 chooses a random number and a random permutation 
7 /Ai- He then computes 

//A.o 

... 

from p,j\. Note that is independent of while /Ai depends on . 
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2. MIX server 2 chooses a random number a random permutation 

7 /A 2 - He then computes 

IIX, O //Ai o 7 a(( f 



^ WX^(5ipj/j 52PJ/2 ^ 



and so on. 

The final output (in Blinding II) of MIX server t + I is: 

- ^ ^ ! pixSpii pixSpn pixSpii 

CT//A = //A O /a( 1 2 ’ " N 

where is defined in eq. (2) and 



(4) 



//A = iixj = n 

jeQ jeQ 

That is, MIXEXP outputs am • • • ajiK on input fLji ■ ■ ■ in Blinding II. 
From eq. (4), we see that 

^^IPIX _ ( ^PII &PII\ 

^IIX - nxo ix{ 1 ■■■ N )■ 

Note that ( of the right hand side is independent of . Therefore, 

a^fx^ must be equal for 1 < < if each list n\ o /a( is 

sorted. Unblinding I, based on this observation, is described as follows. 



Unblinding I: 

1. Each MIX server j publishes { i\j} for 1 < < . 

2. Each MIX server computes i\ = Ojeg 

- ^ -'^Ipix „ ( Spil ^PII\ /r\ 

<^IX = CTjjx = IIXO ix{ 1 ■■■ N ) (5) 

for I < < . 

3. The lists ct/a with 1 < < are sorted and compared. If they are all 

equal, and no element is zero, then the result is labeled valid, otherwise 
invalid. 



Next in Blinding II for = I, let j denote the product (modulo ) of all 
the elements constituting the input to MIX server j. Similarly, Sj denotes the 
product of all the output elements of MIX server j. Then it must hold that 



Sj = 



3 



(6) 



On the other hand, from eq. (1), we have Therefore, it holds 

that 



Sj= /and ^ 

for = j II . . Unblinding II, based on this observation, is described as follows. 
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Unblinding II: (for valid results only) 

1. The MIX servers publish { 

2. The computation of p,n in “Blinding I” is verified. 

3. The MIX servers publish { jjj}j^Q. 

4. Each MIX server j proves that 

S,= /and p= ^ (7) 

holds for some by using one of the methods of [7,25]. 

5. The MIX servers compute cti = , and output cti. Note that cti is 

a permutation of ( ^ . . . %) from eq. (5). 

Jakobsson claims that the final output cti is a permutation of ( ^ . . . if 
the above protocol (MIXEXP) ends successfully. 

3.2 Our Attack 

We show that Jakobsson’s MIXEXP is not robust. This means that his MIX net 
is not robust. Our attack succeeds if at least one MIX server is malicious. 

We exploit a homomorphic property. A dishonest MIX server will first mul- 
tiply the received inputs. The data is then organized to prevent detection. We 
now describe the details. 

For simplicity, suppose that the last MIX server t -|- 1 of Q is malicious. In 
Blinding II, let her input be ( ai ■ ■ ■ aat) for 1 < < . Let 

A 

A = Al * • • • * \N- 

In our attack, she first chooses random numbers i • • • n such that 

id- 2 ~\ AT = 1 mod . 



Next she outputs 



Qi(5t+ip/j a2<5t+ipj/j , j 

= ( A A 



aivi5t+iP/q_,.j 

A 



(8) 



for 1 < < . 

We next show that the MIXEXP ends successfully and our cheating is not 
detected. 



Theorem 1. The check of Unhlinding I is satisfied. 



Proof: In Blinding II, the output of MIX server t -|- 1 is dux of eq. (4) if she is 
honest. Therefore, her input must be 



( 



-^iv) — 

= 0xi 1 



//At+i W//A 



p/x<5pj//<5t+ipjq^_i 



pi\Spii/St+ipii.i._ 

N 




How to Break a Practical MIX and Design a New One 



565 



for some permutation 0\ for 1 < < . Therefore, 

;^= = ^)P/x5p///5t + iP/p + i ^ pjx5p///5t + ip/p + i 

where = i * • • • * a?. Then eq. (8) is written as 



dux = ( “iwxip// 



aNPixSpn 



Finally, at Step 2 of Unblinding I, each MIX server computes 



aix = a 



'^/pix 

//A 



( 



aiSpii 



awSpi! 



) 



(9) 



for 1 < < . Note that ( “Up// ^ ^ ^ aN&pii'^ jg independent of . Therefore, 

we see that an = a 12 = • • • = ct/k- This means that the check of Unblinding I is 
satisfied. □ 



Theorem 2. The check of Unhlinding II is satisfied. 

Proof: Note that t+i = 1 and St+i is the product of all the elements of 

eq. (8) for = 1. Therefore, we have 

_ aiSt+iPIItu ^ ^ ONSt+iPUt+i _ / St+iPUt+ixai+.-.+aN 

<Pi+l — 1 * ■ ■ ■ * — ll I 

= ( 

Thus, eq. (6) is satisfied. Hence, eq. (7) is satisfied for some . □ 

Finally, from eq. (9) and Step 5 of Unblinding II, the output of the MIXEXP 
becomes as follows. 

A. _ ;^l/prr 
(Jl — au 

^ Q;i (5 

= (( i*---* ••• ( i*---* 

This is clearly different from a permutation of ( f . . . %). (See Step 5 of Un- 

blinding II.) Therefore, the MIXEXP does not compute the correct output with- 
out being detected. 



4 Proposed MIX Net 

In this section, we show an efficient t-resilient MIX net by using a certain com- 
binatorial structure over the set of MIX servers. 

In Sect. 4.1, we introduce two new concepts, existential-honesty and limited- 
open- verification. They will be useful for distributed computation in general. 
We also define a combinatorial structure which guarantees that our scheme is 
t-resilient. 

Our scheme is given in Sect. 4.2 and Sect. 4.3. We further show an efficient 
construction of the combinatorial structure by using covering [29] in Sect. 4.4. 
Covering has recently been used in another cryptographic application: robust 
secret sharing by Rees et al. [23]. 
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4.1 Existential-Honesty and Limited-Open- Verification 

A set system is a pair ( B), where ={12... u} and S is a collection of 

blocks i C with z = 1 2 . . . . First, we define {v t)-verifiers set systems. 

Definition 1. We say that ( B) is a {v t) -verifiers set system if 

1. I i I = t + 1 for z = 1 2 ... and 

2. for any subset C with \ \ <t, there exists a i G B such that n i = 0. 

Let ( be a {v t)-verifiers set system. We identify with the set of MIX 

servers. Therefore, i is a subset of MIX servers of size t+ 1. We choose Pi G i 
arbitrarily for 1 < z < . Tz is called a prover. The other MIX servers of t are 
called verifiers. 

We introduce two new concepts in this paper, 

— Existential-honesty and 

— t-open-verification 

which we now describe. 

Existential honesty follows from Definition 1. Although, existential honesty 
is not limited to applications in the MIX context, and may be useful in other 
distributed computation, we focus on its MIX application. In each block one 
designated party will mix the ciphertexts. As long as one block of MIX servers 
is free of dishonest machines, the goal of mixing has been achieved. Now we do 
not know which block satisfies this property. However, Definition 1 guarantees 
that there always exists one block of honest parties. So, we let each block mix 
the ciphertexts (i.e. the designated party of that block). What do we do when 
the designated party of a block j is dishonest? Since a block has t-\-l parties, it 
must be detected. Indeed, there are at most t dishonest parties. If it is detected, 
then we ignore the output and proceed with the output of block j_i (or an 
even earlier one if the designated party in j_i was dishonest). Now, what 
happens when one of the verifiers falsely accuses the mixing party of having 
been dishonest. Then we know that this block is not free of dishonest parties, 
and therefore the block under consideration is not the one of Definition 1, so we 
can just ignore the output of the block. In other words, we do not have to decide 
whether the one who mixed it was honest or not. 

We now explain t- open-verification. In many secure distributed computation 
protocols zero-knowledge is used to prove that the computation was done cor- 
rectly. In our approach we do not need zero-knowledge, the prover will reveal 
the secrets he used. However, he will only do this to t parties. The existential 
honesty guarantees that all parties in at least one of the blocks of MIX servers 
will all be honest. So, the prover can reveal the secret he used. This speeds up 
the verification dramatically. 

We now formally describe the scheme in full detail. 
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4.2 Initialization 

Let (= ^ mod ) be a public key of the ElGamal scheme as shown in Sect. 2.2. 
We assume that the secret key is distributed among v MIX servers by using 
Shamir’s (t + 1 v) secret sharing scheme. Actually, we use a robust (t + 1 v) 
threshold ElGamal decryption scheme. (See the end of the next subsection for 
more details.) 

1. Each user i computes a ciphertext i = { i % u i si i) hy the non-malle- 
able ElGamal encryption scheme [28] as shown in Sect. 2.3. That is, ( i i) = 
( rrii ) is the ciphertext of the usual ElGamal scheme, u i is the aux- 
iliary information and si i is the Schnorr’s signature of ( i i u i) such 
that i is a public key and is the secret key. 

2. Each user i posts his ciphertext i to the bulletin board. 

3. i is discarded if the signature is not valid. 

4.3 Main Protocol 

We assume that all MIX servers of i share a common key i for 1 < i < . We 
extract ( i i) from a valid ciphertext j. Let 

Ao = (( 1 l) ■ ■ ■ i N n))- 

We wish to produce a random permutation of the list (mi . . . ttin), where 
rrii = i f is the plaintext of ( i i). A prover of a block j first publishes Ai 
which is a randomly permuted list of reencrypted ciphertexts of Aq. He then 
privately broadcasts the secret random string Ri he used to the verifiers in the 
same block j. Each verifier of i checks the validity of Aq by using Ri. 

For j = 1 . . . , do: 

Step 1. Let 

Ao = (('l l) ■ ■ ■ c N n))- 

The prover Pj of block j chooses random numbers si ... sat and a random 
permutation j. She computes 

Ai= jiCi \ "^) ... Cn \ 

and then publishes Ai. (Ai is commonly used for all the verifiers of j.) 
Step 2. Pj encrypts si . . . sn and j by the key j of block j. Then Pj 
publishes these ciphertexts. {Pj is broadcasting si . . . sn and j secretly 
to all the verifiers of j.) 

Step 3. Each verifier of block j decrypts the above ciphertexts and checks 
whether Ai is computed correctly by using si . . . sn and j. He outputs 
“AGGEPT” if Ai is computed correctly and “REJEGT” otherwise. 

Step 4. If some verifier of block j outputs “REJEGT”, then Ai is ignored. 
Otherwise, let Aq := Ai. 
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Let the final result be Aq = (('i i) . . . {"n n))- 

Next any (t + 1) MIX servers decrypt each ('j j) by using a robust (t+ 1 v) 
threshold ElGamal decryption scheme. Finally, we obtain a random permutation 
of the list (mi . . . itin)- 

Gennaro et al. showed a robust threshold RSA signature scheme in [12]. A 
robust (t + 1 v) threshold ElGamal decryption scheme is easily obtained by 
applying their technique to ElGamal decryption. 



4.4 Construction of the Set System 

Let V = (t + 1)^, = t + 1, = {1 2 • • • (t + 1)^} and j = {(z — l)(t + 

1) + 1 • • • i{t + 1)} for 1 < z < . Then it is easy to see that ( ,8) is a 

((t + 1)^ t + 1 t)-verifiers set system. 

We next show a more efficient {v t)-verifiers set system. A set system ( B) 
is called a {v k t)-covering if [29] 

1. I i\ = k for 1 < z < and 

2. every t-subset of is included in at least one block. 



From [17], we have the following proposition. (We learned about proposition 
1 from [23].) 

Proposition 1. Suppose that k = v n and 



3 < s < 



t 3 
2 



k { t — 



s-3 



< V k [ t — 



Then there exists a{v v — k t) -covering such that 
G is included in at most two blocks. 



s — 4 
2 

= t+s. Further, each element 



See [17,23] for the construction. 

We next borrow the following lemma from [23] in which the lemma was used 
for robust secret sharing schemes. The proof will be clear. 

Lemma 1. ( B) is a {v t)-verifiers set system if and only if the set system 
( 8°) is a {v V — t — 1 t) -covering, where B^^ = { \ i \ i G 8}. 

Then we obtain a {v t)-verifiers set system as follows. 

Corollary 1. For t = o , there exists a {v t)-verifiers set system such that 

V = ^{t -\- 1)^ and =^(t+l). (10) 

Further, each element G is included in at most two blocks. 
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Proof: In Proposition 1, let fc = t + 1 and s = (t + 3) 2. □ 

The fact that each MIX server is included in at most two blocks is primordial 
to understand the efficiency analysis described further on. 

We show a small example of Corollary 1. Let t = 3 = 6 v = 12 and 

1 = (1 2 3 4) 2 = (3 4 5 6) 3 = (5 6 1 2) 

4 = (7 8 9 10) 5 = (9 10 11 12) 6 = (11 12 7 8) 

Then it is easy to see that this is a (12 6 3)-verifiers set system which satisfies 
Corollary 1. 

4.5 Efficiency 

In the {v t)-verifiers set system of Corollary 1, each MIX server is included in 
at most two blocks. Therefore, each MIX server acts as a prover at most twice 
and acts as a verifier at most twice. 

In Step 1 and Step 2, each prover computes Ai and encrypts si • • • sn 
and j. This computation cost is 0{ ). He publishes Ai and the ciphertexts of 
Si • • • Sat and j. This communication cost is 0( ). Therefore, the total cost of 
the prover is 0( ). In Step 3, each verifier decrypts the ciphertexts of si ••• sn, 
j and checks the validity of Ai. This computation cost is 0( ). He publishes 
“ACCEPT” or “REJECT”. This communication cost is 0(1). Therefore, the 
total cost of the verifier is 0( ). In the end, the total cost of each MIX server 
isO( ). 

An alternative method to compute the computation cost per user is to analyze 
the total cost and then divide by the total number of MIX servers. One needs 
then to take into account that the number of MIX servers is O(t^), compared to 
0{f) in previous work. 

5 Security of the Protocol 

5.1 Verifiability 

Suppose that the prover Pj of j is malicious and Ai is not correctly computed. 
Then there exists at least one honest verifier in j because | j\=t+l and there 
exist at most t malicious MIX servers. The honest verifier outputs “REJECT” 
at Step 3. Therefore, Ai is ignored at Step 4. 

5.2 Robustness 

For any t malicious MIX servers, there exists at least one i in which all MIX 
server are honest from Def.l. This i computes Ai correctly. On the other hand, 
any invalid Ai is ignored from the verifiability. Therefore, our protocol outputs 
a random permutation of (mi . . . tun) correctly even if there are at most t 
malicious MIX servers. 
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5.3 Privacy (Sketch) 

The ElGamal based encryption scheme of [ 28 ] is known to be non-malleable un- 
der adaptive chosen ciphertext attack. Let i 2 be two ciphertexts and mi m2 
be the plaintexts. Then by using the result of [ 4 ], we can show that there exists 
no probabilistic polynomial time (p.p.t.) Turing machine (distinguisher) which 
can distinguish (1 2 m2) and (12 1TI2 mi) with meaningful probability. 

This is the minimum requirement that any MIX net of this type must satisfy. We 
also assume that it satisfies plaintext awareness [ 5 ] which means that no p.p.t. 
adversary can create a ciphertext without knowing its underlying plaintext m. 

Now consider an adversary 0 who can control at most t MIX servers and 
at most — 2 out of the users posting encrypted messages. It is the goal 
of the adversary 0 to match each one of the two plaintexts mi m2 to their 
corresponding ciphertexts 1 2 that he does not control. In other words, 0 

wishes to distinguish (12 itii m2) and (12 m2 mi). 

Suppose that there exists a p.p.t. adversary 0 who can distinguish (1 2 

mi m2) and ( 1 2 m2 mi) with meaningful probability. For simplicity, suppose 

that 0 controls users 3 • • • 

We will show a distinguisher . The input to is ( 1 2 1 2), where 

( 1 2) = (mi m2) or {m2 mi). first gives 1 2 to 0 and runs the users part 

of 0 - Then 0 outputs 3 • • • n- From the plaintext awareness assumption, 
0 knows the plaintexts m3 ••• mA? for 3 ••• at. Therefore, knows the set 
of {mi m2 m3 • • • mAf}. 

next runs the main body of our protocol in such a way that simulates 
the part of honest MIX servers faithfully and uses 0 for the part of malicious 
MIX servers. Let the output of the main body be Aq = (('1 1) . . . {" n n))- 

Note that Aq is a random permutation of randomized ciphertexts 1 • • • n 
from Sect. 5 . 2 . 

Let be a random permutation. Let mi denote the plaintext of ("i i) for 
1 < z < . Then we can show that 0 cannot distinguish ('j i m-i) and 

("i i w.„.(j)) under the decision Diffie-Hellman assumption. finally generates 
a view of 0 for the robust (t -I - 1 n) threshold FlGamal decryption scheme with 
("i i mTr(i)) by using the technique of [8,12] for 1 < z < 

Then 0 can distinguish ( 1 2 mi m2) and ( 1 2 m2 mi ) with meaningful 

probability from our assumption on o- Hence, can distinguish ( 1 2 mi m2) 

and (12 m2 mi) with meaningful probability. However, this is a contradic- 
tion. 



6 Open Problems 

This paper introduces several open problems, in particular: 

— whether the new tools of existential-honesty and limited-open-verification 
can be used in other secure distributed computation. 
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— whether there are other choices of v. Indeed, when t is large the required 
number of MIX servers only grows quadratic. Although this is reasonable for 
a theoretician, from a practical viewpoint, the question is worth addressing. 

— is 0( ) the minimum required effort per MIX server while maintaining t- 

privacy, t- verifiability, and t-robustness, in a network with 0(t^) servers. 
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Abstract. This paper describes new techniques for fast correlation at- 
tacks, based on Gallager iterative decoding algorithm using parity-check 
equations of weight greater than 3. These attacks can be applied to any 
key-stream generator based on LFSRs and it does not require that the 
involved feedback polynomial have a low weight. We give a theoretical 
analysis of all fast correlation attacks, which shows that our algorithm 
with parity-check equations of weight 4 or 5 is usually much more effi- 
cient than correlation attacks based on convolutional codes or on turbo 
codes. Simulation results confirm the validity of this comparison. In this 
context, we also point out the major role played by the nonlinearity of 
the Boolean function used in a combination generator. 



1 Introduction 

Stream ciphers form an important class of secret-key encryption schemes. They 
are widely used in applications since they present many advantages: they are 
usually faster than common block ciphers and they have less complex hardware 
circuitry. Moreover, their use is particularly well-suited when errors may occur 
during the transmission because they avoid error propagation. In a binary ad- 
ditive stream cipher the ciphertext is obtained by adding bitwise the plaintext 
to a pseudo-random sequence s, called the running-key (or the key stream) . The 
running-key is produced by a pseudo-random generator whose initialization is the 
secret key shared by the users. Most attacks on such ciphers therefore consist in 
recovering the initialization of the pseudo-random generator from the knowledge 
of a few ciphertext bits (or of some bits of the running-key in known-plaintext 
attacks) . 

Linear feedback shift registers (LFSRs) are the basic components of most 
key-stream generators since they are appropriate to hardware implementations, 
produce sequences with good statistical properties and can be easily analyzed. 
Different classes of key-stream generators can be distinguished depending on the 
techniques used for combining the constituent LFSRs [16]: combination genera- 
tors, filter generators, clock-controlled generators .... In all these systems, the 
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secret key usually consists of the initial states of the constituent LFSRs. The se- 
cret key has then X)r=i bits, where Li denotes the length of the z-th LFSR and 

n is the number of involved LFSRs. Any key-stream generator based on LFSRs 
is vulnerable to correlation attacks. These cryptanalytic techniques introduced 
by Siegenthaler [20] are “divide-and-conquer” methods: they exploit the exis- 
tence of a statistical dependence between the running-key and the output of one 
constituent LFSR for recovering the initialization of each LFSR separately. The 
secret key can then be recovered with only X^r=i tests. 

A classical method for generating a running-key is to combine n LFSRs by a 
nonlinear Boolean function /. Such a combination generator is depicted in Fig- 
ure 1. For combination generators, the original correlation attack presented by 




Fig. 1. Combination generator 



Siegenthaler can be prevented by using a correlation-immune combining func- 
tion [19]. In this case, the running-key is statistically independent of the out- 
put of each constituent LFSR; any correlation attack should then consider sev- 
eral LFSRs together. More generally, a correlation attack on a set of k LFSRs, 
namely LFSR zi, . . . , LFSR ik, exploits the existence of a correlation between the 
running-key s and the output cr of a smaller combination generator, which con- 
sists of the k involved LFSRs combined by a Boolean function g with k variables 
(see Fig. 2). Since Pr[s„ yf <j„] = Pr[f{Xi , . . . , X„) yf g{Xi ^,. . . , Xj J] = pg, 
this attack only succeeds when pg < 0.5. The number k of involved LFSRs should 
then be strictly greater than the correlation immunity order t of the combining 
function /. This cryptanalysis therefore requires that all 2^z=i 'i initial states 
be examined; it becomes infeasible when the correlation-immunity order t of the 
combining function is high. 

The fast correlation attack proposed by Meier and Staffelbach [9, 10] relies 
on the same principle but it avoids examining all possible initializations of (t-l- 1) 
LFSRs together. Let us again consider the sequence a produced by LFSR ii, , 
LFSR Zfc combined by g. The sequence a obviously corresponds to the output of 
a unique LFSR of length L; the length and the feedback polynomial P of this 
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Fig. 2. Correlation attack involving k constituent LFSRs 



LFSR can be derived from the feedback polynomials of the constituent LFSRs. 
Note that L < g{Li^, . . . ,Li^.) where the function g is evaluated over integers. 
Equality notably holds when the feedback polynomials of the involved LFSRs are 
primitive and when their degrees are coprime [17]. Any subsequence of length N 
of a is then a codeword of a linear code C of length N and dimension L defined by 
the feedback polynomial P. The running-key subsequence {sn)n<N can then be 
seen as the result of the transmission of {(Jn)n<N through the binary symmetric 
channel with error probability (or crossover probability) p = Pr[s„ yf (j„]. The 
attack therefore aims at recovering L consecutive bits of a (i.e., the initial state 
of the equivalent LFSR) from the knowledge of N bits of s. This can be done by 
decoding (s„)„<at relatively to C. 

From the attacker’s point of view, the main problem is to make the crypt- 
analysis feasible even if a small number N of bits of the running-key (or of the 
ciphertext) is known. Shannon’s channel coding theorem [18] gives a theoretical 
lower bound on N depending on the error-probability p: N > LC{p), where 



binary symmetric channel 




Fig. 3. Model for a fast correlation attack 













576 



Anne Canteaut and Michael Trabbia 



C (p) is the capacity of the binary symmetric channel with error-probability p, 
i.e., C{p) = 1-1- plog 2 (p) -I- (1 — p) log 2 (l — p). Unfortunately no efficient gen- 
eral decoding algorithm is known for achieving the channel capacity. This means 
that practical correlation attacks require that the known running-key sequence 
be much longer than this theoretical bound. Any improvement of fast correlation 
attacks then consists in finding an efficient decoding procedure for the code C, 
when N is as close as possible to Shannon’s limit. 



Meier and Staffelbach attack [10] uses the iterative decoding process due 
to Gallager for low-density parity-check codes [3] . Any polynomial actually 
provides a parity-check equation for C as far as its degree is less than N. It 
follows that the received sequence (s„)„<at can be decoded with Gallager algo- 
rithm when the feedback polynomial P has a low weight and when the error 
probability p is not too high. Several minor improvements of this original attack 
were proposed in [21, 12, 1, 13, 15] but these papers did not introduce any im- 
portant modification of the basic underlying concepts. Johansson and Jonsson 
recently proposed two new techniques for fast correlation attacks: the main idea 
is to derive from (s„)„<at a sequence which can be seen as a corrupted version 
of a word of a convolutional code [6] or of a turbo code [7]. These new attacks 
increase the highest achievable error probability p for given values of L and N 
{L is the length of the LFSR generating a and N is the number of known bits of 
the running-key). Moreover, they do not require that the feedback polynomial P 
have a low weight. We here show that Gallager iterative decoding algorithm 
with parity-check equations of weight 4 or 5 is usually much more efficient than 
all previous attacks: it successfully decodes very high error probabilities with a 
feasible time and memory complexity, and it does not require that the feedback 
polynomial P have a low weight. As an example, for a LFSR of length L = 40 
and an error-probability p = 0.3, the best previously known attack [7] requires 
the knowledge of TV = 40, 000 bits of s whereas our algorithm with parity-check 
equations of weight 5 is successful with only 9, 770 bits. 



The paper is organized as follows. Section 2 focuses on the particular case 
of combination generators. Here, we prove that the lowest possible Hamming 
distance between a fixed t-resilient function and any Boolean function with (f -|- 
1) variables is achieved by an affine function. It follows that the nonlinearity 
of the combining function plays a major role in the resistance of a combination 
generator to correlation attacks. The rest of the paper presents a new general 
method for fast correlation attacks which can be applied to any type of key- 
stream generators based on LFSRs. The preprocessing step and the decoding 
step of the algorithm are respectively described in Section 3 and 4. Section 5 
gives a theoretical analysis of the recent attacks proposed by Johansson and 
Jonsson. Most notably, we point out that our attack using parity-check equations 
of weight 4 or 5 has better performance than the attacks based on convolutional 
codes or on turbo codes. Section 6 finally presents some simulation results which 
confirm the validity of the previous comparison. 
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2 Approximation of a t-Resilient Function by a Function 
with t + 1 Variables 

This section is devoted to the special case of combination generators. It fo- 
cuses on the choice of the Boolean function g which is used for combining 
the k LFSRs involved in the correlation attack (see Fig. 2). The attack will 
be even more efficient that the correlation between the running-key s and the 
sequence a is high. This equivalently means that Pr[s„ yf (j„] should be as 
small as possible. The Boolean function g with k variables should then mini- 
mize pg = Pr[f{Xi , . . . , Xn) yf 5(Vi, ■ ■ • , V^)]- Moreover, since the length of 
the equivalent LFSR considered in a fast correlation attack is usually given by 
L = g{Li ^ , ■ ■ • , Lik)i it is obviously required that the degree of g be not too high. 

We first recall some basic properties of Boolean functions (see e.g. [8], [11] 
and [2] for details). In the following, denotes the set of all Boolean functions 
with n variables, i.e., the set of all functions from F 2 into F 2 . A Boolean function 
is balanced if its output is uniformly distributed; balancedness is then an obvious 
requirement for combining functions. A Boolean function / € is t-th order 
correlation-immune if the probability distribution of its output is unaltered when 
any t input variables are fixed [19]. Balanced t-th order correlation-immune func- 
tions are called t-resilient. Note that a t-th order correlation-immune function 
is fc-th order correlation-immune for any k < t. From now on, the correlation- 
immunity order of a function / then refers to the highest integer t such that / is t- 
th order correlation-immune. The Walsh transform of a Boolean function / S 
is the Fourier transform of the corresponding sign function Xfi^) = (—1)^^^^: 

vugf^, rf{u)= ^(-i)/(-)(-i)“- 

xeF" 

where x • y denotes the usual dot product between two n-bit vectors x and y. 
The Walsh coefficient x}{u) estimates the Hamming distance between / and the 
affine function u • x + e, e € F 2 : 

Pr[f{Xi , . . . , A„) yf u • A -k £] = i ■ 

The nonlinearity of /, NC{f), corresponds to its Hamming distance to the set 
of affine functions: 

NC{f) = 2"-i - i max |^(u)| . 

2 ueFj 

We now consider the combination generator depicted in Figure 1 and we 
assume that the combining function / is t-resilient. The running- key produced by 
the combination generator is then independent of any set of t constituent LFSRs. 
The smallest number of LFSRs involved in a correlation attack is therefore t+1. 
We now prove that, in this case, the Boolean function g with (t -|- 1) variables 
which provides the best approximation to / (i.e., which minimizes Pg) is an affine 
function. 
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Theorem 1. Let f be a t -resilient function with n variables and let T be a subset 
of {1, .. . ,n} of cardinality (i + 1), T = {zi, . . . , it+i\- The lowest possible value 
over all g G !Ft+i of 

Pg = Pr[f{Xu...,Xr,)^g{X,, 5 ■ ■ • 1 ^it+1 )] 

is achieved by the affine function 

g{xi^,. . . + £ 

ieT 

with e = 0 iff^Cr) > 0 and e = 1 otherwise, where It denotes the n-bit vector 
whose i-th component equals 1 if and only if i G T. 

Moreover, we have 

min Pa= — rrlA7(lT)l ■ 

Proof: For any vector x G F 2 , x = (y, z) refers to the decomposition of x with 
respect to T, i.e., y is the {t + l)-bit vector composed of all Xi, i GT. Let priv), 
y G denote the probability pt(2/) = Px[f{Y,Z) = 1|F = y]. For any 

g G Tt+\ we have 



Pg = Pr[/(F, Z) ^ g{Y)] 

= Yi Pr[f{Y,Z) = l\Y = y]+ ^ Pr[f{Y,Z) = 0\Y = y] 

yeg-^{o) yeg-^(i) 

= Y PT{y)+ Yi a~PT{y))- 

yeg-^{o) yeg-^{i) 



It follows that Pg is minimal if and only if 



giV 



0 if pt{x) < 1/2, 

1 if pt{x) > 1/2 . 



( 1 ) 



Note that the value of g{x) can be arbitrarily chosen when pt{x) = For any 
j G T, 6j denotes the (t + l)-bit vector whose all coordinates are zero except the 
j-th one. For any y G and any j G T, we have 



PT{y) +PT{y + eg) = Pr[f{Y, Z) = 1|F = y] + Pr[f{Y, Z) = 1\Y = y + e,] 

= 2 {Pr[f(Y, Z) = l|Vz GT,Y, = y^]Pr[Yg = %] + 

Pr[f{Y, Z) = l|Vz G T \ {j}, r. = Vi,Yg ^ yg]Pr[Yg ^ %]) 
= 2Pr[f{Y,Z) = l|Vz G T\{j},Y, = y.] = 1 



where the last equality comes from the fact that / is t-resilient and that the 
set T \ {j} has cardinality t. Let g G Pt+i be such that Pg is minimal. Since 
Pt{x) pt{x + Cj) = 1 for any x G and for any j G T, Condition (1) implies 
that 



g{x) + g{x + Cj) = 1 mod 2 
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when pt{x) ^ Moreover, we can assume that this relation is satisfied for any 
X e because the value of g{x) can be arbitrarily chosen when pt{x) = 

It follows that, for any x € 

g(x) = g(0) + 

ieT 



Since g is an affine function, pg is given by 

1 (- 1 ) 9 ( 0 )^ 

Ps= 2 2 ^ 1 +]— X/(1t) ■ 

This probability is then minimized when (-1)®*-*^^ and ^(1t) have the same 
sign. □ 

It follows that, in a fast correlation attack involving (t + 1) LFSRs, the same 
combining function g minimizes both the error probability Pg and the length 
of the LFSR generating a. In this context, the feedback polynomial P of this 
equivalent LFSR is the least common multiple of the feedback polynomials Pi 
of the considered LFSRs [22]. Note that we generally have P = IlieT since 
all these feedback polynomials are usually primitive. The running-key s can be 
seen as the result of the transmission of the sequence a generated by this LFSR 
through the binary symmetric channel with error probability 

A similar cryptanalytic method applies to a ciphertext-only attack. In this 
case, we make use of the redundancy of the plaintext sequence m, i.e., Pr[m„ = 
0] = Po > 1/2. The attack now considers that the ciphertext sequence c re- 
sults of the transmission of a through the binary symmetric channel with error- 
probability 



p = Pr[cn 7^ cr„] = i - ^^|^+y^Ix/(1t)| ■ 

Theorem 1 points out the importance of the nonlinearity of the combining 
function /: any known-plaintext correlation attack on (t+ 1) LFSRs should de- 
code an error probability p > Af C{f) /2”. The use of highly nonlinear combining 
function may then prevent this attack. In this case, an acceptable error prob- 
ability can only be obtained when (t -|- 2) constituent LFSRs are involved and 
when the degree of g is at least 2. But this dramatically increases the length of 
the equivalent LFSR and it makes any correlation attack infeasible. 

3 Generating Parity- Check Equations 

We now come back to the general cryptanalysis of any key-stream generator 
based on LFSRs. A fast correlation attack aims at recovering L consecutive bits 
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of a from the knowledge of N bits of s (see Fig. 3). We use that any TV-bit subse- 
quence of (T is a codeword of a linear code C of length N and dimension L defined 
by the feedback polynomial P. The preprocessing step of the attack then consists 
in generating some parity-check equations for C (i.e., linear relations involving 
some bits of (cr„)„<Ar) in such a way that they provide an efficient decoding 
procedure. Here, we use a fast decoding algorithm due to Gallager [3] for low- 
density parity-check codes. In this context, the preprocessing step consists in 
searching for all linear equations involving d bits of the sequence {(7n)n<N'- 

d-l 

gn + gq = 0 ■ 
i=i 

These equations exactly correspond to the polynomials Q{X)P{X) of weight d 
and of degree at most TV, where P is the feedback polynomial of the LFSR 
generating a. The cyclic structure of LFSR sequences implies that the set of 
all parity-check equations of weight d involving at does not depend on i. It is 
therefore sufficient to find all polynomials Q{X)P{X) of weight d whose constant 
term equals 1. These polynomials can be found with the following algorithm: 

— Compute all residues qi{X) = X"^ mod P{X) for 1 < z < TV and store their 
values in a table T defined by 

VO < a < 2^, T[a] = {z, qi{X) = a} . 

— For each set of c? — 2 elements of {1, • • • , TV — 1} 

compute A=l + qi^ (X) -b . . . -b qi^_^ (X) 

for any j S T[A\, 1 -b -b . . . -b -b W is a multiple of P of 

weight d. 

The number of operations required by this algorithm is then roughly 

/TV - 1\ TV<^-2 

\d-2J ^ {d-2)l ■ 

We can also use an algorithm based on a “birthday technique” as suggested in [10, 
Section 5] . This consists in storing in a table the values of all linear combinations 
of residues qi{X). The complexity of this algorithm is only (|-^^) but 

it requires bits of memory. For d > 4 the choice of the algorithm used 

in the preprocessing step then highly depends on the available memory amount. 
Similar techniques for finding low-weight parity-check equations are presented 
in [14]. 

We now want to estimate the number of such parity-check equations of 
weight d. Let us first assume that P is a primitive polynomial in F 2 [X] of de- 
gree L. Then the number m{d) of polynomials Q{X) = l + X^ti di^'' of weight d 
such that P divides Q is approximatively 



m{d) 



Nd-i 

(d- 1)!2^ ■ 



(2) 
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This approximation is motivated as follows: when d is small, the number of 
multiples of P of weight d and of degree at most 2^ — 1 can be approximated [8, 
p. 129] by 

2(d-l)L 



Let us now assume that the probability pd that P divides a polynomial of 
weight d is uniform. We then deduce that 






We similarly obtain that 

m{d) = Pd 



N-1 

d-1 



1 

^ ■ 



Nd-i 

{d-iy.2^ ■ 



Simulations for d < 6 show the accuracy of this approximation when N 
is not too small. Moreover its validity does not depend on the weight of P. 
As an example the following table compares our approximation with the exact 
values of m(3) for two polynomials of degree 17: Pi{X) = 1 + and 

P2(A) = 1 + A2+A4+A5+A6+A8+A9 + A10+A11+A13+A14 + A15+A1^. 



N 


3000 


4000 


5000 


6000 


7000 


8000 


mi(3) 


38 


61 


95 


131 


183 


238 


m2 (3) 


36 


67 


95 


127 


185 


243 


approximation 


34 


61 


95 


137 


187 


244 



Since this approximation is also accurate when P is a product of primitive poly- 
nomials, we will now use Formula (2) as an approximation of the number of 
parity-check equations of weight d involving the i-th bit of {(7n)n<N- For the 
polynomial of degree 40 considered in [6], P{X) = 1 -|- A -|- A^ -|- A® -|- A® -|- 
All + ^12 + a 17 -k Al9 -k A21 -k A25 -k A27 + a 29 A^^ A^s -k A38 X^° , we 

obtain 9607 parity-check equations of weight 4 for N = 400, 000 and 400 parity- 
check equations of weight 5 for N = 10, 000. For these values of N, Formula (2) 
gives m(4) = 9701 and m(5) = 379. 



4 Decoding Procedure 



Using the previous parity-check equations we recover {an)n<N from {sn)n<N 
using Gallager soft-input /soft-output decoding algorithm [3,4]. It relies on the 
evaluation, for all 0 < z < A, of the probability that ui equals 1 conditional on 
the known sequence {sn)n<N and on the event S that all parity-check equations 
involving ai are satisfied. As usual in soft decoding algorithms, all probabilities 
are expressed in terms of log-likelihood ratios: the log-likelihood ratio of a binary 
random variable A, L{X), is defined as 



L{X) = log 



Pr[X = 0] 
Pr[X = 1] ■ 
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The sign of L{X) corresponds to a hard decision on X (sign(L(AT)) = (— 1)^); 
its magnitude |T(AT)| is the reliability of this decision. Here, we have that 

L(^(Ji\(^Sn)n<N ^ S') — L(^(Ji\(^Sn)n<N) “t“ S(^S\(Ji^ (^n)n<N) • 

The second term of the right hand member of this equation can be evaluated 
with the following approximation (see e.g. [5]) 

X,) = 

i=l 

The decoding procedure is then as follows: 

— Initialization: for all i from 0 to fV — 1, T[z] = log . 

— Until convergence, repeat: 

For all i from 0 to fV — 1 

L'[z] = 

for any parity-check equation involving ai, written as + aj = 0, 




n 



sign(L(A:i)) I min jL{Xi) 



L'[{\ ^ L'[z] 




minL[j] . 
jeJ 



For all i from 0 to TV — 1, Sj ^ sign(L'[z]) and L[i] ^ |T'[i]|. 

The number of parity-check equations required for convergence of this decoding 
procedure highly depends on their weight d. Figures 4 and 5 present simulations 
results for L = 21 Ip{X) = 1 + X^ + X^ + X^ + X^° + -b X^^ + X^^ + 
X^^). Figure 5 clearly shows that the performance of the attack increases with 
the weight of the parity-check equations. For p = 0.4, the attack requires the 
knowledge of 16800 bits of s for d = 3, 2200 bits for d = 4 and 1100 bits for 
d = 5. 

Simulations actually provide the following approximation of the minimum 
value of m(d) for convergence (see Fig. 4): 



m(d) > 



C,-2(P) 



( 3 ) 



where Cd- 2 {p) is the capacity of the binary symmetric channel with error- 
probability Pd -2 = ^(1 - (1 - 2p)‘^“^), i.e. Cd- 2 {P) = 1 + Pd-2l0g2(pd-2) + 
(1 - Pd- 2 ) log 2 (l - Pd- 2 )- Kd ~ I ii d> A and ~ 2. Combining (2) and (3) 
we obtain that the correlation attack with parity-check equations of weight d is 
successful if the number of known bits of s is at least 



N = with ad{p) 



1 

d- 1 



log2 



(d-1)! 



Kd 

Cd-2{P)_ ■ 



( 4 ) 



This formula points out that the influence of L decreases when we use higher- 
weight parity-check equations. When m{d) satisfies (3) the decoding procedure 
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Fig. 4. Number of parity-check equations of weight d per bit required for convergence 
(L = 21) 



requires at most 10 iterations. The algorithm then performs approximatively 
5(c? — l)m{d)N operations in average. The amount of involved memory is com- 
posed of {d— l)m{d) computer words for storing the parity-check equations and 
of 2N computer words for storing of the sequence {sn)n<N and the corresponding 
soft values {L[n])n<N- 

5 Comparison with Previous Correlation Attacks 

We first compare our attack with the correlation attack using convolutional codes 
described in [6] . This attack associates a convolutional code with memory B to 
the code C stemming from the LFSR with feedback polynomial P. The embedded 
convolutional code is defined by all parity-check equations involving <t„ and d—1 
bits of a outside positions n — 1, .. . ,n — B: 

B d-l 

T ^ ^ Pi^n—i P ^ ^ ^ij ■ 
i=l j=l 

Johansson and Jonsson focus on the case d = 3. Using the algorithm described 
in [6] all these equations can be found with roughly ^_ 2 )\ operations. Exactly 
as in Formula (2) the number of such parity-check equations involving the z-th 
bit of a is approximatively given by 

Nd-^2^ 



msid) 



{d-iy.2^ ■ 
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100,000 



10,000 

N 

1,000 



100 

0.3 0.32 0.34 0.36 0.38 0.4 0.42 0.44 

error probability p 

Fig. 5. Number of bits of s required for convergence {L = 21) 



The decoding step of the attack now consists in deriving a sequence r from 
{sn)n<N- Decoding r with respect to the convolutional code then provides L 
consecutive bits of a. By construction most bits of the corrupted sequence r 
satisfy 

Pr[rn yf ct„] = ^(1 - (1 - 2p)‘^~^) = pd-i . 

This obviously implies that the decoding procedure can not be successful if 
the transmission rate of the convolutional code R is greater than the capacity 
of the binary symmetric channel with error probability pd-i- The simulation 
results presented in [6] actually provide the following maximum value of R for 
convergence of Viterbi algorithm: 

R<q±l(P) 

- K' 

where K' is a constant which slightly depends on L (we obtain K' = 3 for L = 21 
and K' = 2.5 for L = 40). Since R = l/{mB{d) + 1) we deduce the following 
convergence condition for Viterbi algorithm: 

msid) < ^ - 1 . (5) 

Cd-i{p) 

The number of known bits of s required by a correlation attack using a convo- 
lutional code with memory B is then 

TV = 20d(p)+^-^r=T^ ^ _^log2 {d- ■ 




(6) 
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The decoding step using Viterbi algorithm performs 2^mB{d){L + lOi?) opera- 
tions. 

Figure 6 compares the number of bits of s required for a correlation attack 
using Gallager decoding algorithm with d = 3, d = 4 (Formula (4)) and for 
the attack using Viterbi algorithm with d = 3, i? = 18 (Formula (6)). It points 
out that the use of Gallager algorithm with d = 4 provides better performance 
than the use of Viterbi algorithm with d = 3 and B = 18. Moreover, this 
advantage increases for growing p and L. As an example, we now compare our 




Fig. 6. Number of bits of s required by Gallager algorithm and by Viterbi algorithm 



attack with d = 4 and the attack using a convolutional code which was presented 
in [6] (d = 3) . Let N be the minimum number of bits of the running-key which are 
required by our attack for a given value of p. The correlation attack using Viterbi 
algorithm only succeeds for these values of N and p when mB{5) > K'm{4), 
i.e., B > log 2 (fV) since K' ~ 3. This high value of B makes the complexity 
of the decoding step with Viterbi algorithm higher than for our attack: the 
number of operations required for decoding is multiplied by i? -I- Moreover, 
the memory requirement makes the decoding step intractable for large values 
of B {B can not exceed 20 or 30 in practice). The only advantage of the attack 
based on convolutional codes is the lower complexity of the preprocessing step: 
in our attack the number of operations performed for finding the parity-check 
equations is multiplied by But this part of the attack is performed once for 
all while the decoding step should be repeated for each new initialization of 
the system. A similar comparison can be made for higher weight parity-check 
equations. Note that, as pointed out by Formula (6), the advantage of increasing 
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the memory B in the attack based on convolutional codes decreases for higher 
values of d. Moreover, the value of d in the attack based on convolutional codes 
is limited due to the time complexity of Viterbi algorithm. Gallager algorithm 
should therefore be preferred in most situations. 

A recent improvement [7] of the attack based on convolutional codes consists 
in using M parallel convolutional codes with memory B which all share the 
same information bits. This does not strongly modify the results of the previous 
comparison. When a turbo code is used, the number of operations performed by 
the decoding procedure is 6M2^mB{d){L + 9B) and the memory requirement is 
roughly the same than in Viterbi algorithm. The processing step now performs 
around {L + 9B)M operations. 



6 Simulation Results 



We now present some simulation results of our attack based on a LFSR of 
length L = 40 with feedback polynomial P{X) = 1 + V + + X^ + V® + 

^11 ^12 ^17 ^19 ^21 ^25 ^27 ^29 ^32 ^33 ^38 ^40 ^ 

This polynomial was used for all simulations in [12,6,7]. The results obtained by 
Gallager algorithm with parity-check equations of weight 4 and 5 are presented 
in Figure 7. 




Fig. 7. Number of bits of s required for a fast correlation attack (L=40) 
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As an example, the following table compares the maximum error-probabilities 
achieved by the different correlation attacks when N = 400, 000 bits of s are 
known: 





our attack 
d = 4 


[6] (Viterbi) 
d=3,B=15 


[7] (turbo) 

d= 3,M = 8,B= 13 


maximum error 
probability p 


0.44 


0.40 


0.41 



For N = 400, 000 and p = 0.44, the preprocessing step and the decoding step 
of our attack took respectively 9 hours and 1.5 hour on a DEC alpha workstation. 
Note that the attack based on convolutional codes with d = 4 and B = 16 can 
achieve p = 0.482, but it requires 2®^ operations. This error-probability can be 
achieved by our attack with d = 5 and with only N = 360, 000 bits of s. In this 
case, the number of operations required by the decoding step is 2®^. 

Similarly, the correlation attack based on turbo codes achieves p = 0.3 for 
40, 000 known bits of s (with B = 15 and M = 16) [7]. We here correct the same 
error-probability with only 9, 770 bits using parity-check equations of weight 5. 
In this last case, the preprocessing step takes roughly 30 hours, and the decoding 
step takes 12 seconds. 

7 Conclusions 

We have shown that the fast correlation attacks using Gallager iterative decoding 
algorithm with parity-check equations of weight 4 or 5 are more efficient than 
the attacks based on convolutional codes or on turbo codes. The performance 
of our algorithm is only limited by the time complexity of the preprocessing 
step; however, it is important to note that this part of the attack has to be 
performed once for all. The different techniques proposed by Johansson and 
Jonsson could also use higher-weight parity-check equations but the induced 
improvement is strongly limited by the memory requirement of the decoding 
procedure. Gallager algorithm should therefore be preferred in most situations. 
The previous theoretical analysis provides all necessary choices of parameters 
for practical implementations. 
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Abstract. Recently a powerful cryptanalytic tool — the slide attack — 
was introduced [3] . Slide attacks are very successful in breaking iterative 
ciphers with a high degree of self-similarity and even more surprisingly 
are independent of the number of rounds of a cipher. In this paper we 
extend the applicability of slide attacks to a larger class of ciphers. We 
find very efficient known- and chosen-text attacks on generic Feistel ci- 
phers with a periodic key-schedule with four independent subkeys, and 
consequently we are able to break a DES variant proposed in [2] using 
just 128 chosen texts and negligible time for the analysis (for one out of 
every 2^® keys). We also describe known-plaintext attacks on DESX and 
Even-Mansour schemes with the same complexity as the best previously 
known chosen-plaintext attacks on these ciphers. Finally, we provide new 
insight into the design of GOST by successfully analyzing a 20-round 
variant (GOST©) and demonstrating weak key classes for all 32 rounds. 



1 Introduction 

The slide attack is a powerful new method of cryptanalysis of block-ciphers 
introduced in [3]. The unique feature of this new cryptanalytic attack is its 
independence of the number of rounds used in the cipher of interest: when a 
slide attack is possible, the cipher can be broken no matter how many rounds are 
used. This capability is indispensable in a study of modern iterative block ciphers 
and hash functions. As the speed of computers grows, it is natural to use more 
and more rounds, which motivates our study of attacks that are independent 
of the number of rounds. While addition of a few rounds usually stops even a 
very sophisticated cryptanalytic attack (such as a differential or linear attack), in 
contrast a cipher vulnerable to slide attacks cannot be strengthened by increasing 
the number of its rounds. Instead, one must change the key-schedule or the design 
of the rounds. 

In [3] it was shown that slide attacks exploit the degree of self- similarity of 
a block cipher and thus are applicable to iterative block-ciphers with a periodic 
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Table 1. Summary of our attacks on various ciphers. 



Cipher (Rounds) Key bits Best Previous Attack Our Attack 









Data Type Time 


Data Type 


Time 


2K-DES 


(oo) 


96 


2^^ 


KP 2““ 


2^^ 


KP 


2^33 


2K-DES 


(oo) 


96 


232 


KP 2®° 


2i" 


CP/CC 2^^ 


4K-Eeistel 


(oo) 


192 


— 


— 


CO 

CN| 


KP 


233 


4K-Eeistef 


(oo) 


192 


— 


— 


2i" 


CP/CC 2^'^ 


4K-DES 


(oo) 


192 


— 


— 


2i" 


CP/CC 21’’ 


Brown-Seberry-DES 


(oo) 


56 


— 


— 


128 


CP/CC 2’’ 


DESX 


(16) 


184 


2»n 


CP 


232.5 


KP 


287.5 


DESX 


(16) 


184 


2»n 


CP 


232.5 


CO 


295 


Even-Mansour 


(-) 


2n 


2^/2 


CP 2”/^ 


2^/2 


KP 


2^/2 


GOST© 


(20) 


256 


— 


— 


233 


KP 


2™ 



CO — ciphertext-only, KP — known-plaintext, CP — chosen-plaintext, CP/CC — 
chosen plaintext /ciphertext. - Our attack on 4K-DES and Brown-Seberry-DES works 
for 1/2^® of all keys. Note that attacks on 2K-DES work for all the keys. 



key-schedule. It was also shown that slide attacks apply to auto-key ciphers 
(where the choice of the round subkeys is data-dependent) . As an example an 
attack was presented on modified Blowfish [17], a cipher based on key-dependent 
S-boxes which so far had resisted all the conventional attacks. 

The existence of attacks which are independent of the number of rounds is 
perhaps counter-intuitive. To illustrate this consider a quote from [15]: 

“Except in a few degenerate cases, an algorithm can be made arbitrarily 

secure by adding more rounds.” 

Slide attacks force us to revise this intuition, and this motivates our detailed 
study of advanced sliding techniques. 

In this paper we introduce advanced sliding techniques — sliding with a twist 
and the complementation slide — that result in a more efficient slide attacks and 
allow to attack new classes of ciphers. We illustrate these techniques on generic 
Feistel constructions with two- or four-round self-similarity as well as a Luby- 
Rackoff construction and also the example ciphers 2K-DES and 4K-DES, which 
differ from DES only by having 64 rounds, a 96- or 192-bit key, and a simplified 
(periodic) key-schedule. Analysis of these ciphers is of independent interest since 
it demonstrates the dangers of some ways to extend DES. Specifically we show 
a very efficient attack on a variant of DES proposed in [2] : our attack uses only 
128 chosen texts and negligible time of analysis (for a 2“^® fraction of all keys). 

We then apply the newly developed methods to the DESX and Even-Mansour 
schemes, and we show known-plaintext slide attacks with the same complexity as 
the best previously known chosen-plaintext attacks. We also apply slide attacks 
to the GOST cipher (a Russian equivalent of DES) obtaining insights on its 
design. 

See Table 1 for a summary of our results. For each cipher a number of rounds 
that our attack is able to cover is presented; oo is shown if our attack is indepen- 
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dent of the number of rounds of a cipher. The block size in bits is denoted by , 
and the ‘Key bits’ column denotes the number of secret key bits of the cipher. 

This paper is organized as follows: In Section 2 we briefly describe conven- 
tional slide attacks. We develop several advanced sliding techniques in Section 3, 
illustrating them on generic Feistel ciphers with periodic key-schedules. As a 
side effect we receive a distinguishing attack on the 'F{ ... ) Luby- 

Rackoff construction (see the end of Section 3.2). We then apply the newly 
developed techniques to the analysis of DESX and Even-Mansour schemes in 
Section 4. In Section 5 we turn advanced slide attacks to the analysis of GOST. 
Finally Section 6 summarizes some related work and Section 7 outlines some 
possible directions for further research. 

2 Conventional Slide Attacks 

Earlier work [3] described a simple form of slide analysis applicable to ciphers 
with self-similar round subkey sequences or autokey ciphers. We briefly sketch 
those ideas here; see [3] for full details and cryptanalysis of a number of ciphers, 
and Section 6 for other related work. 

In the simplest case, we have an -round cipher whose rounds all use the 
same subkey, so that = o o • • • o = Note that if the key schedule 
of a cipher is periodic with period , we can consider to be a “generalized” 
round consisting of rounds of the original cipher. We call such ciphers -round 
self-similar. Let ( ) be a known plaintext-ciphertext pair for . The crucial 

observation is 

'= ( ) implies '= (0= ’'(())= (’'())= ( )■ 

In a standard slide attack, we try to And pairs ( ), { ' ') with ' = ( ); 

we call such a pair a slid pair, and then we will get the extra relation '= ( ) 

“for free.” 

Slide attacks provide a very general attack on iterated product ciphers with 
repeating round subkeys. The only requirement on is that it is very weak 
against known-plaintext attack with two pairs (we are able to relax this require- 
ment later, in Section 3.5). More precisely, we call fc( ) a weak permutation if 
given the two equations fc( i) = i and k{ 2 ) = 2 it is “easy” to extract the 
key . Such a cipher (with a -bit block) can be broken with only 2”/^ known 
texts, since then we obtain 2” possible pairs ( ), { ' SiS each pair has a 

2“” chance of forming a slid pair, we expect to see one slid pair which discloses 
the key. 

Feistel ciphers form an important special case for sliding, since the attack 
complexity can be substantially reduced from the general case. We depict in 
Figure 1 a conventional slide attack on a Feistel cipher with repeating round 
subkeys. The Feistel round structure gives us an -bit Altering condition on slid 
pairs, which lets us reduce the complexity of analysis to about 2"/^ time and 
space, a significant improvement over the 2” work required for the general attack 
listed above. Furthermore, there is a chosen-text variation which works against 
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L R 




Fig. 1. A conventional slide attack on a generic Feistel cipher with one-round 
self-similarity. If ' = and ' = © ( © ), the texts shown above will 

form a slid pair, and we will have ' = and ' = © ( © )• 



Feistel ciphers with about 2”/^ chosen plaintexts: we may simply use structures 
to ‘bypass the first round’. See [3] for details. 

In this paper, we focus on generalizing the slide attack to apply to a broader 
range of constructions. 



3 Advanced Sliding Techniques 

In this section we show several ways of extending the basic slide attack to apply 
to larger classes of ciphers. In the following subsections we introduce two new 
methods: the complementation slide and sliding with a twist. 

We will describe these new techniques by applying them first to a generic Feis- 
tel cipher with a 64-bit block and self-similar round subkeys. (See Figure 1 for an 
example of such a cipher, where the subkeys exhibit one-round self-similarity. In 
this section, we consider up to four-round self-similarity.) For ease of illustration 
we will show graphically ciphers with only a small number of rounds, but we 
emphasize that the attacks described in this section apply to ciphers with any 
number of rounds. After describing the basic attack techniques we will show how 
to extend them to real ciphers. 



3.1 The Complementation Slide 

First we show a method to amplify self-similarity of Feistel ciphers with two- 
round self-similarity by exploiting its complementation properties, thus allowing 
for much better attacks. We call this approach the complementation slide. 

In the conventional attack, to deal with two-round self-similarity one must 
slide by two rounds (thus achieving a perfect alignment of rounds with o and 
i), but this yields inefficient attacks. In contrast, we suggest to slide by only one 
round. This introduces the difference = o © i between slid encryptions in 




Advanced Slide Attacks 



593 



L R 




Fig. 2. A complementation slide attack on a Feistel cipher with two-round self- 
similarity. If ' = 0 and ' = 0 ( 0 ® ) ® ) the texts shown above will 
form a slid pair, and we will have '= 0 and '= 0 ( i0 0 )0 , 

where = o ® i • 



all the rounds. Notice that we have effectively amplified the self-similarity of the 
cipher from 2-round to 1-round self similarity. However together with amplified 
self-similarity we have introduced differences between rounds of encryption in a 
slid pair. How can the attack proceed? 

Our answer is to choose a slid pair so that the plaintext differences will cancel 
the difference between the subkeys. Instead of searching for plaintexts with slid 
difference zero, we search for plaintexts with slid difference ( ). (Note: We 

say that a pair of plaintexts ' has slid difference if ( ) 0 ' = .) Such 

a slid difference will propagate with probability one through all the rounds, and 
thus will appear at the ciphertext. See Figure 2 for a pictorial illustration of the 
attack. 

The slid pairs can be found in a pool of 2^^ known plaintexts, as before. If 
we denote the plaintext by = ( ) and the ciphertext by = ( ), we 

get the following slid equations: 

('') = ( ® ( 0 ® ))®( ) 

( ' ') = ( ® ( 1 ® ® ))®( ). 

Thus we have '0 ' = 0 which is a 32-bit condition on a slid pair. 

Moreover the second equation suggests a 32-bit candidate for = o ® i; if 
we have several slid pairs, this value should coincide for all of them (although 
we do not need the latter property in our attack). Thus the S/N ratio of this 
attack is very high. As soon as one slid pair is found, we derive = o ® i- 
Then, if the round function is weak enough, we will be able to derive the keys 
0 and 1 themselves from the first and second equations. We will only need to 
examine 2^^ pairs (due to the 32-bit filtering condition) and each pair suggests 
at most one candidate key, so the work-factor of the attack is very low. 

To summarize, this gives a known plaintext attack on a generic Feistel cipher 
with two-round self-similarity. The complexity of the attack is quite realistic: we 
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Fig. 3. Sliding with a twist, applied to a Feistel cipher with two-round self- 
similarity. If ' = and ' = 0 ( 0 ® ) ) the texts shown above will form 

a (twisted) slid pair, and we will have ' = and ' = © ( o ® )• 



need just 2^^ known texts and at most 2^^ light steps of analysis. However, see 
Section 3.2 for an even better attack. 

Even more interestingly: We can consider a variant with four independent 
subkeys, o> i, 2 , 3 , so that the key size is 128 bits. If we slide by two 

rounds we find that the XOR differences between subkeys are 2-round self-similar! 
A modified version of the above attack works, although the S/N ratio is not as 
high as before. Complementation sliding thus provides a powerful technique for 
amplifying self-similarity in iterated ciphers. 



3.2 Sliding with a Twist 

We next describe a novel technique of sliding with a twist on a Feistel cipher 
with two-round self-similarity. This allows for even better attacks than those 
presented above. See also our attack on DESX in Section 4 for an important 
application of sliding with a twist. 

If we ignore the final swap for the moment, then decryption with a Feistel 
cipher under key o i is the same as encryption with key i o^- Of course, 
Feistel encryption with key o i is very similar to encryption with key i q: 
they are just out of phase by one round. Therefore, we can slide by one round 
a decryption process against an encryption process (the twist). This provides us 
with a slid pair with an overlap of all rounds except for one round at the top 
and one round at the bottom. Notice that due to the twist these rounds both 
use the same subkey o- See Figure 3 for a graphical depiction. 

The attack begins by obtaining a pool of 2^^ known texts, so that we expect 
to find one slid pair. For a slid pair, we have 

('') = ( ® ( 0 ® ) ) ('') = ( ® ( 0 ® ) ) 

In [3] such cipher, based on DES was called 2K-DES. 



1 
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which gives us a 64-bit filtering condition on slid pairs (namely ' = and 
' = ) . Thus the slid pair can be easily found with a hash table and 2^^ work, 

and it immediately reveals the subkey q. 

The rest of the key material can be obtained in a second analysis phase with 
a simplified conventional sliding (by two rounds and without a twist) using the 
same pool of texts and with less than 2^^ work. Pick a ciphertext from a pool, 
partially encrypt it with q and search the pool of ciphertexts for one with 
coinciding 32 bits. If such a ciphertext is found perform a similar check on their 
plaintexts. If both conditions hold this is a slid pair that provides us with i . 
This attack requires just 2^^ known texts and 2^^ work. 

Moreover, there is a chosen-plaintext/ciphertext variant that allows us to 
reduce the number of texts down to 2^^ with the use of structures. We generate 
a pool of 2^® plaintexts of the form ( j ) and obtain their encryptions. Also, 
we build a pool of 2^® ciphertexts of the form ( ' ') and decrypt each of them, 

where the value ' = is fixed throughout the attack. This is expected to give 
one slid pair, and then the analysis proceeds as before. 

This demonstrates that sliding with a twist is capable of attacking any -bit 
Feistel block cipher with a two-round periodic key-schedule with 2”/^ known 
plaintexts and about 2”/^ time, or with about 2”/^ chosen plain-ciphertexts 
and about 2”/^ time. Also, sliding with a twist can be used to distinguish a 
Luby-Rackoff [13] construction with two alternating pseudo-random functions 
and and with an arbitrary number of rounds (an accepted notation is 
tf'( ... )) from a random permutation with about 2"/^ known plain- 

texts and similar time (given that the block size is bits), or with about 2”/^ 
chosen plaintext/ciphertext queries and similar time. 

3.3 Better Amplification of Self-Similarity: Four-Round Periodicity 

In this section we combine the complementation slide and sliding with a twist 
to amplify the self-similarity of round subkeys even further. Consider a Feistel 
cipher with key schedule that repeats every four rounds, using independent sub- 
keys 0 ) 1 ) 2 , 3 , and suppose these keys are xORed at the input of the 

-function. We call this generic cipher a 4K-Feistel cipher. 

One may naively slide by two rounds to amplify self-similarity, like this: 

0 1 2 3 0 1 ■ ■ ■ 

0 1 2 3 0 1 ■ ■ ■ 

Then one may use a complementation slide technique using the slid difference 
( 1 © 3 0 © 2 )- However, there doesn’t seem to be any way to make this 

attack work with less than 2”/^ texts, and the analysis phase is hard. 

Better results are possible if one applies sliding with a twist. At a first glance, 
the twist may not seem to be applicable, but consider combining it simultane- 
ously with the complementation slide, like this: 



0 1 2 3 0 1 2 3 o--- 

3 2 1 0 3 2 1 0 3--- 
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Fig. 4. Combining the complementation slide and sliding with a twist techniques 
in a single unified attack against a Feistel cipher with four-round self-similarity. 



The top row represents an encryption, and the bottom represents a decryption 
(or, equivalently, encryption by 3 2 1 o> due to the similarity between 

encryption and decryption in Feistel ciphers). 

Now note that the odd rounds always line up, but the even rounds have the 
constant difference 1 0 3 in the round subkeys. Therefore, we can apply the 

complementation slide technique, if we can get texts with a slid difference of 
(0 10 3 ). Then we get the attack shown in Figure 4. 

Combining the two advanced sliding techniques provides a number of sig- 
nificant benefits. First, we obtain an -bit filtering condition, so detecting slid 
pairs becomes easy. Consequently, the analysis phase is straightforward. Also, 
the combined approach makes it easier to recover key material from a slid 
pair. Finally, perhaps the most important improvement is that now we can re- 
duce the data complexity of the attack to just 2 ”/^ texts, in the case where 
chosen-plaintext/ciphertext queries are allowed. Neither advanced sliding tech- 
nique can — on its own — provide these advantages; in this respect, the whole is 
greater than the sum of the parts. 

3.4 Attack on DES with Brown-Seberry Key-Schedule 

In [2] an alternative key-schedule for DES was proposed. This key-schedule was 
supposed to be “as effective as that used in the current DES” and was “suggested 
for use in any new algorithm” [2]. This variant of DES was already studied 
in [1] resulting in a related-key attack on it. In this section we show a chosen 
plaintext/ciphertext slide attack on this variant of DES, which uses only 128 
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chosen texts and negligible time for analysis. The attack works for out of 2®® 
keys. 

To remind the reader: the DES key-schedule consists of two permuted- choice 
permutations PCI and PC2, and a rotation schedule. The first permuted choice 
PCI is used to reduce the key-size from 64 bits to 56 bits. Then the result is 
divided into two 28-bit registers and . Each round we cyclicly rotate both 
registers by one or two bits to the left. Permuted choice PC2 is applied to the 
result, which picks 24 bits from each 28-bit register and thus forms a 48-bit 
round subkey. 

In [2] a key-schedule that rotates by 7 bits every round was proposed (instead 
of the irregular 1,2-bit rotations used in DES). Due to a larger rotation amount 
which spreads bits between different S-boxes the PC2 permutation was simplified 
to become an identity permutation which just discards the last 4 bits of each 28- 
bit register. We claim that for 1/2^® of the keys, this variant can be broken with 
our sliding with a twist techniques as follows: the known-plaintext attack will 
require 2®^ ® texts, time and space; the chosen-plaintext /ciphertext, however, 
will require only 2^ texts! 

First of all notice that since the new rotation amount (7 bits) divides the size 
of the key-schedule registers (28 bits) the registers return to their original 
state every four rounds. This results in a key-schedule with a period of four, which 
can be analyzed by the methods that we developed in the previous sections for 
the four-round self-similar Feistel ciphers. We will extend the standard attack 
even further by noticing that DES key-schedule is used and not four independent 
round subkeys as in our previous model. However, DES-like ciphers introduce 
one small complication: the DES round function XORS the subkey against the 
48-bit expanded input rather than the raw 32-bit input, so the complementation 
slide only works if the 48-bit subkey difference is expressible as the expansion of 
some 32-bit text difference. 

Let i = { 7i 7i) so that i = PC2( j). For the sliding with 

a twist to work in the case of DES we need i 0 3 to have an ‘expandable’ 

form in order to pass through the 32 to 48 expansion of the DES round function. 
Note also that if i = {u v u' v') where u v u v' are all 14-bit quantities, then 
3 = {v u v' u') in a Brown-Seberry key-schedule, and thus for = 1 0 3 we 
have i = i+14 for z S {0 1 . . . 13 28 29 . . . 41}. The PC2 just discards i 

for z G {24 25 . . . 27 52 53 . . . 55} to get the 48-bit quantity = PC2( ) = 

10 3- 

If we insist = Expansion( ) for some , we get 16 constraints on : 

namely, z = i+2 for z = 6j 0 , j G {0 . . . 7}, G {4 5} where subscripts are 

taken modulo 48. Thus we have 

i = i+2 for t G {4 5 10 11 16 17 32 33 38 39 44 45}; 

and i = i+6 for z G (22 23 50 51}. Therefore = 1 0 3 is expandable if 

and only if = 1 0 3 has the form 

= ( h h h h 

mm mm) 
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where .. are 12 arbitrary bits, we see that there are exactly 2^^ expandable 
values of i © 3 that satisfy the required constraints. Moreover, for each ex- 
pandable value of 1© 3, there are 2^® possible values of 1 for which 1© 3 

has the given value (since we may choose u and u' arbitrarily, setting v and v' 
as required to ensure that (u © u u © u u' (Bv' u' (Bv') has an appropriate value 
for 1 © 3). 

This shows that there are 2^° values of 1 that lead to four-round self- 
similarity with an expandable value for 1 © 3. In other words, 1/2^® of the 

keys are breakable with our standard attack. Note that the standard attack for 
the case of four independent round subkeys uses 2®^ ® known texts, time and 
space, or 2^^ chosen texts, time and space. However, we may use the special 
structure of 1 © 3 to significantly reduce the complexity of the chosen-text 

attack. 

In particular, we choose 2® plaintexts of the form ( i ) and 2® ciphertexts 
of the form ( j '), where = ' is fixed throughout the attack and 

i = ( 0 0 000 0 0 0 0 000 ) 

j = (0000 000 /lOOO 0000 0 00m 00 0) so that 

i © j = ( h m ) 

and thus Expansion( j © j) = 1 © 3 for some i j, which immediately gives 

us a slid pair. (We assume for ease of description that the cipher includes the 
final swap and no IP or FP, so that Figure 4 in Section 3.2 applies.) We can 
recognize the slid pair by a 64-bit filtering condition on ( ) { ' '), and so 

the analysis phase is easy. 

To sum up, this provides an attack on the cipher that breaks 1/2^® of the 
keys with 2^ chosen texts, time and space. 

3.5 Generalizations for a Composition of Stronger Functions 

In Section 2 we have seen how a typical slide attack may work. However, in many 
cases this approach is too restrictive, since it may be desirable to analyze ciphers 
which decompose into a product of stronger functions; in particular, the round 
function may be strong enough that multiple input/output pairs are required to 
recover any key material. In this section we show several techniques to handle 
this situation. 

One approach is to use a differential analysis. Denote by the block size of 
the cipher. Suppose there is a non-trivial differential characteristic ^ 
of probability for the round function. We associate to each plaintext the 
plaintext © and to each plaintext ' another plaintext ' © . Then, if 

' = ( ) , we will also have ' © = ( © ) with probability (thanks 

to the characteristic ^ ), which provides two slid pairs. In this way we 

may obtain four known input/output pairs for the function . We can generate 
a set of 3 • 2”/^ chosen plaintexts such that for plaintext in the chosen 
set the plaintexts © and © are also in the set; then we will expect 
to see one pair ' satisfying both the slide and the differential patterns. 
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The second approach (which is probably the simplest) works like this. Sup- 
pose to recover the key we need known texts for the round function . For 
each plaintext , we suggest to get the encryption ( ) of , and the double- 
encryption )= ( ( )) of , and so on, until we have obtained ). 

Then, if ' = ( *( )), we find 2 — i slid pairs “for free” by the relation 

•!( ') = ( )) for j = 1 .. 2 — i. With 2^”+^)/^ chosen texts, 

we expect to find about slid pairs in this way (probably all in the same 
batch formed from a single coincidence of the form ' = ( *( ))). To locate 

the batch of slid pairs, one could naively try all 2”+^ possible pairings of texts 
(though in practice we would search for a more efficient approach) ; each pairing 
that gives or more known texts for will suggest a key value that can then 
be tested^. 

Normally this last attack would be classified as an adaptive chosen-plaintext 
attack. However, note that in many modes (CBC, CFB) it can be done with a 
non-adaptive chosen-plaintext attack. Furthermore, in the case of OFB mode, 
a known plaintext assumption suffices. However, these comments assume that 
re-encryption preserves the sliding property, which is not always the case. 

Another possible generalization is in the case of Feistel-ciphers. In this case 
one can detect slid pairs even before trying to find the correct secret key . In the 
case of a balanced Feistel cipher with block size we have an /2-bit condition on 
the ciphertexts of a slid pair. This increases the S/N ratio considerably, filtering 
out most of the incorrect pairs even before we start the analysis. This property 
allows an attacker to accumulate sufficient number of slid pairs before he starts 
an attack on a round-reduced variant of a cipher. 

Notice also that if we use a technique for receiving many slid pairs in the 
case of a Feistel-cipher, we would need only 2 • 2”/^ chosen texts, and the S/N 
ratio will be excellent by comparing several halves of the ciphertexts. 

Furthermore if > 2”/^, an absolutely different idea can be used. Choose 
a random starting point . About 2”/^ times iterate the following operation so , 
where s denotes swap of the halves (the swap is needed only if has no final swap 
at the last round). This way one can obtain more than slid pairs (here 

denotes the number of rounds of a cipher). The S/N ratio is again excellent. 
The idea is that we essentially search for a symmetric point {A A) of a round 
function, which happens after about 2”/^ rounds ( 2 "/ 2 -'°s»’ encryptions). This 
does not necessarily happen in the middle of a cipher, so we may have to perform 
up to times more encryptions before we reach a fixed point for . In half of the 
cases (if the first symmetric point happened at an even round) we will receive 
an orbit “slidable” by two rounds, and in other half of the cases (symmetric 
point at odd rounds) an orbit will be “slidable” by one round. Even if an orbit 
is “slidable” only by two, and thus /2-bit filtration will be unreachable to us, 

^ If A were behaving like a random function, it would be enough to take 2”^^ -I- N 
encryptions, from an orbit of some arbitrarily chosen element P, but since E is 
expected to behave like a random permutation, an orbit of P will be a part of 
usually a very large cycle, leaving no place for collisions. Considering a few more 
orbits will not help either. 
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the encryption fixed point that ends our orbit helps us slide the orbit correctly 
(at most /2 possibilities). 

4 Cryptanalysis of DESX and Even-Mansour Schemes 

DESX is an extension of DES proposed by Rivest in 1984. It makes DES more 
resistant to exhaustive search attacks by xORing two 64-bit keys: one at the 
input and another at the output of the DES encryption box^. See [10,16] for 
theoretical analysis of DESX. 

In this section we show the unexpected result that the DESX construction 
contains just enough symmetry to allow for slide attacks. These results are ac- 
tually generally applicable to all uses of pre- and post-whitening (when applied 
using self-inverse operations like xor), but for convenience of exposition we will 
focus on DESX. 

The attacks presented here are another example of an application of the pow- 
erful new sliding with a twist technique. Our attacks on DESX are significantly 
better than the best previously known attacks: we need just 2^^-® known texts 
and 2®^-® time for the analysis, while the best generic attack reported in the lit- 
erature is a c/iosen-plaintext attack with comparable complexity [10,16]^. Thus, 
sliding techniques allow one to move from the chosen-text attack model to the 
more realistic known-text attack model. Even more unexpectedly, our attack can 
also be converted to a ciphertext-only attack. 

We briefly recall the definition of DESX. Let k{ ) denote the result of DES- 
encrypting the plaintext under the key . Then we define DESX encryption 
under the key = ( a, y) as k{ ) = y © fc( © a:)- To set up the 
necessary slide relation, we imagine lining up a DESX encryption against a 
slid DESX decryption, as shown in Figure 5. More specifically, we say that the 
two known plaintext pairs ( ) and ( ' ') form a slid pair if © ^ = y. 

Consequently, for any slid pair, we will have 

'= :.© '® y) = X® ) 

as well as = a, © jT ^( ')• Combining these two equations yields x = © 

jT^( 0 = ^ © fc ^( )• As a result, we get a necessary property of slid pairs: 
they must satisfy 



= u\')® '■ W 

To get a single slid pair, we obtain 2®^ ® known plaintexts ( t i) and search 
for a pair which satisfies the sliding condition (*). The pairs can be recognized 
efficiently with the following technique. We guess the DES key . Next, we insert 

® Note that an idea to use simple keyed transformations around a complex mixing 
transform goes back to Shannon [18, pp.713[. 

® One may apply differential or linear cryptanalysis to DESX, but then at least 2®°- 
2®^ texts are needed [11]. In contrast, slide attacks allow for a generic attack with a 
much smaller data complexity. 
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Fig. 5. Sliding with a twist, applied to DESX. 



fc i) © i into a lookup table for each i; alternatively, we may sort the texts 
by this value. A good slid pair ( ) { ' ') will show up as a collision in the 

table. Also, each candidate slid pair will suggest a value for ^ and y as above 
(e.g., y = © ' and x = © ^ 0)? so we try the suggested DESX key 

( a; y) immediately on a few known texts. With 2^^-® known texts, we expect 
to find one false match (which can be eliminated quickly) per guess at , as well 
as one correct match (if our guess at was correct). If this attack sketch is not 
clear, see the algorithmic description in Figure 6. 

In total, the average complexity of our slide attack on DESX is 2®^'® of- 
fline trial DES encryptions, 2®^ ® known texts, and 2®^ ® space. The slide attack 
is easily parallelized. Compare this to the best attack previously reported in 
the open literature, which is a chosen-plaintext attack that needs 2^^^“™ time 
(average-case) when 2™ texts are available [10,16]. Therefore, our attack converts 
the chosen-plaintext assumption to a much more reasonable known-plaintext as- 
sumption at no increase in the attack complexity. 

Ciphertext- ONLY attacks. Note that in many cases our slide attack on DESX 
can even be extended to a ciphertext-only attack. We suppose (for simplicity) 
that most plaintext blocks are composed of just the lowercase letters ‘a’ to ‘z’, 
encoded in ASCII, so that 24 bits of each plaintext are known®. For each i we 
calculate 24 bits of ^^( i) © i and store the result in a lookup table. Due to 
the weak filtering condition, by the birthday paradox we expect to find about 
22-32.5-1^224 = collisions in the table. Each collision suggests a value for y 
(as y = © ') and for 24 bits of x, which we immediately try with a few DESX 
trial decryptions on other known ciphertexts. Therefore, for each guess of the 
workfactor is 2®° DES operations. 

® The attack degrades gracefully if our model of the plaintext source is only proba- 
bilistic; for instance, if half of the texts follow the model, the attack will need only 
■y/2 times as many ciphertexts and only twice as much work. 
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Attack: 

1. Collect 2^^-® known plaintexts ( i i). 

2. For each G {0 1}®®, do 

3. Insert ( i) © i i) into a hash table keyed by the first component. 

4. For each z j with i) © i= j) © j, do 

5. Set y= i© 'and a; = j© ^ i © y). 

6. Test the validity of the guessed key ( a; y) on a few more known texts. 

Fig. 6. The DESX slide attack, in full detail. It is clear that — once discovered — 
the attack may be described without reference to sliding, but the sliding with a 
twist methodology made it possible to find the attack in the first place. 



This provides a simple ciphertext-only attack needing about 2^^-® ciphertexts 
and 2®® offline DES operations. The work-factor can be reduced somewhat to 
2®® simple steps (where each step is much faster than a trial decryption) , if 2®® 
known ciphertexts are available, by considering candidate slid pairs two at a 
time and filtering on the suggested value of y, since then the correct value of 
y will be suggested at least twice and can therefore be recognized in this way 
before doing any trial decryptions. Note that these ciphertext-only attacks are 
applicable not only to ECB mode but also to most of the standard chaining 
modes, including CBC and CFB modes. 

Cryptanalysis of the Even-Mansour Scheme. In [7], Even and Mansour 
studied a simple -bit block cipher construction based on a fixed pseudo-random 
permutation and keyed -bit XORS at the input and at the output. Due to the 
generic nature of our previous attack on DESX it can also be used to analyze the 
Even-Mansour construction® . In the case of Even-Mansour we replace k with 
an unkeyed mixing transformation on -bit blocks, so our slide attack succeeds 
with just 2^”+^)/® known plaintexts and 2*^”+^)/® work. This provides a known- 
plaintext attack with the same complexities as the best previously-known chosen 
plaintext attack [6] and within a factor of \pl away from the Even-Mansour lower 
bound. 



5 Analysis of GOST 

GOST, the Russian encryption standard [19], was published in 1989.^ Even 
after considerable amount of time and effort, no progress in cryptanalysis of the 
standard was made in the open literature except for a brief overview of a GOST 
structure in [4] and a related key attack in [9]. In this section we apply slide 
techniques to GOST and thus are able to produce cryptanalytic results that 
shed some light on its internal structure. 

® Of course, these attacks will apply with the same complexity to DESX when the 
DES key k is known somehow. 

^ It was translated into English in 1993 and since then became well known to open 
cryptographic community. 
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The GOST encryption algorithm is a block cipher with 256-bit keys and a 
64-bit block length. GOST is designed as a 32-round Feistel network, with 32-bit 
round subkeys. See Figure 7 for a picture of one round of GOST. 



32 bits 



32 bits 







Fig. 7. One round of a GOST cipher. 



The key schedule divides the 256-bit key into eight 32-bit words o ■ ■ ■ 7 > 

and then uses those key words in the order o ■ ■ ■ 7 > o ■ ■ ■ 7 > o ■ ■ ■ 7 > 

7 6 ■ ■ ■ 0 - Notice the ‘twist’ in the last 8 rounds. 

The Analysis of GOST. GOST looks like a cipher that can be made both ar- 
bitrarily strong or arbitrarily weak depending on the designer’s intent since some 
crucial parts of the algorithm are left unspecified. A huge number of rounds (32) 
and a well studied Feistel construction combined with Shannon’s substitution- 
permutation sequence provide a solid basis for GOST’s security. However, as in 
DES everything depends on the exact choice of the S-boxes and the key-schedule. 
This is where GOST conceptually differs from DES: the S-boxes are not speci- 
fied in the standard and are left as a secondary key common to a “network of 
computers”®. 

The second mystery of GOST is its key-schedule. It is very simple and pe- 
riodic with the period of eight rounds except for the last eight rounds where 
a twist happens. It is intriguing to find a reason for the twist in the last eight 
rounds of the key schedule. Moreover, in many applications we may wish to use 
shorter 64- or 128-bit keys, yet it is not clear how to extend these to a full 256-bit 
GOST key securely (fill the rest with zeros, copy the bits till they cover 256 bits, 
copy bits in a reversed order? ) . 

Why the Twist? Gonsider a GOST cipher with a homogeneous key schedule, 
i.e., omitting the final twist (let us denote it GOST-H). Is this cipher less se- 
cure than GOST? We argue that, if one takes into account the slide attacks, it 



Contrary to common belief, the standard does not even require the S-boxes to be 
permutations. 
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is. GOST-H can be decomposed into four identical transforms, each consisting 
of eight rounds of GOST. Furthermore, if one assumes that the round subkey 
is xORed instead of being ADDed, the cipher will have 2^^® weak keys of the 
form {A A ) (here each letter represents a 32-bit GOST sub- 

key). These keys are weak since they allow for a sliding with a twist attack. 
There is a known plaintext attack with 2®^ texts and time, and a chosen plain- 
text attack with 2^® texts and time; see Section 3.3 for more details. 

Notice that the 2^^® keys of the form {A A) are also weak 

since GOST-H with these keys is an involution and thus double encryption will 
reveal the plaintext. Since these keys are invariant under a twist the same prop- 
erty holds for GOST itself. Also, there are 2®^ fixed points for each key of this 
form, which demonstrates that there may be problems with using GOST to build 
a secure hash function. 

The Attack on 20 rounds of GOST0. Suppose again that the round sub- 
key is XORed instead of being ADDed, (we will denote this variant of GOST as 
GOST0). Here we show an application of sliding with a twist which results in 
an attack on the last 20 rounds of GOST0. 

Applying sliding with a twist, we get a picture that looks like this: 



Ki As Ka K-j Ko Ai K2 A3 A4 As Ag A7 A7 Ag As A4 A3 A2 Ai Aq 

Ac Ai A2 A3 A4 As As A7 A7 Ae As A4 A3 A2 Ai Aq A7 As As A4. 

Let denote 4 rounds of GOST0 with key 4 . . . 7. With a pool of 2®® 

known texts, we expect to find two slid pairs, and each slid pair gives two in- 
put/output pairs for . Breaking with two known texts is straightforward, 
and can be performed in time comparable to about 2® evaluations of 4-round 
GOST (equivalent to 2® 20-round trial encryptions). Thus in our attack we ex- 
amine all 2®® text pairs; each pair suggests a value for 128 bits of key material, 
which we store in a hash table (or sorted list). The right key will be suggested 
twice, so we expect to be able to recognize it easily. By the birthday paradox, 
there will be only about two false matches, and they can be eliminated in the 
next phase. 

Once we have recovered 4 . . . 7, it is easy to learn the rest of the key in a 

second analysis phase. For example, we can peel off the first four rounds and look 
for fixed points in the same pool of texts. Since the round subkeys are palindromic 
in the last sixteen rounds of GOST, there are 2®® fixed points, and each has the 
value ( ) before the last eight rounds of encryption. Thus, given a fixed point, 

we can try the 2®® values of ( ), encrypt forward and backward eight rounds, 

and obtain two candidate input/output pairs for 4 rounds of GOST0 with key 
0 . . . 3, so that a value for 0 ■ ■ ■ 3 is suggested after 2® work; then the 

suggested 256-bit key value is tried on another known text pair. 

In all, this gives an attack on the last 20 rounds of GOST0 that needs 2®® 
known texts, 2^® work, and 2®® space to recover the entire 256-bit key. Note 
that this attack is generic and works for any set of (known) S-boxes. The large 
memory requirements make the attack highly impractical, but we view it as a 
first step towards a better understanding of the GOST design. 
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6 Related Work 

The first step in the “sliding” direction can be dated back to a 1978 paper by 
Grossman and Tuckerman [8] , which has shown how to break a weakened Feistel 
cipher® by a chosen plaintext attack, independent of the number of rounds. 
We were also inspired by Biham’s work on related-key cryptanalysis [1], and 
Knudsen’s early work [12]. 

Some related concepts can be found in Coppersmith’s analysis of fixed points 
in DES weak keys and cycle structure of DES using these keys [5] . This analysis 
was continued further by Moore and Simmons [14]. For a DES weak key, all 
round subkeys are constant, and so encryption is self-inverse and fixed points are 
relatively common: there are precisely 2®® fixed points. Note that this property 
will also be found in any Feistel cipher with palindromic round key sequences, 
so the slide attack is not the only weakness of ciphers with self-similar round 
subkey sequences. 

7 Discussion 

In this section we discuss possible extensions of slide attacks presented in this 
paper and possible directions of future research. 

The most obvious type of slide attack is usually easy to prevent by destroying 
self-similarity in iterative ciphers, for example by adding iteration counters or 
fixed random constants. However more sophisticated variants of this technique 
are harder to analyze and to defend against. This paper is a first step towards 
advanced slide attacks which can penetrate more complex cipher designs. 

One promising new direction is the differential slide attack. By sliding two 
encryptions against each other, we obtain new differential relations which in 
some cases are not available in the conventional differential analysis of a cipher. 
These might be very powerful, since they might for example violate the subtle 
design constraints placed on the system by its designer and thus result in unex- 
pected differential properties. If key-scheduling is not self-similar or symmetric, 
differences in subkeys can cause constant XOR values to be introduced in the 
middle of the encryption process when slid pairs are considered. (In many cases, 
one can slide by different numbers of rounds and thus control the differences 
to some extent.) The drawback of this method is the same as in conventional 
methods: its complexity increases fast with the number of rounds, contrary to 
the general sliding technique, which works for arbitrary number of rounds. 
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